6 files changed, 263 insertions, 0 deletions
diff --git a/raddb/mods-config/attr_filter/access_challenge b/raddb/mods-config/attr_filter/access_challenge
new file mode 100644
index 0000000..12ed619
--- /dev/null
+++ b/raddb/mods-config/attr_filter/access_challenge
@@ -0,0 +1,19 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id$
+#
+#	This configuration file is used to remove almost all of the
+#	attributes From an Access-Challenge message.  The RFCs say
+#	that an Access-Challenge packet can contain only a few
+#	attributes.  We enforce that here.
+#
+DEFAULT
+	EAP-Message =* ANY,
+	State =* ANY,
+	Message-Authenticator =* ANY,
+	Reply-Message =* ANY,
+	Proxy-State =* ANY,
+	Session-Timeout =* ANY,
+	Idle-Timeout =* ANY
diff --git a/raddb/mods-config/attr_filter/access_reject b/raddb/mods-config/attr_filter/access_reject
new file mode 100644
index 0000000..47f167b
--- /dev/null
+++ b/raddb/mods-config/attr_filter/access_reject
@@ -0,0 +1,18 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id$
+#
+#	This configuration file is used to remove almost all of the attributes
+#	From an Access-Reject message.  The RFCs say that an Access-Reject
+#	packet can contain only a few attributes.  We enforce that here.
+#
+DEFAULT
+	EAP-Message =* ANY,
+	State =* ANY,
+	Message-Authenticator =* ANY,
+	Error-Cause =* ANY,
+	Reply-Message =* ANY,
+	MS-CHAP-Error =* ANY,
+	Proxy-State =* ANY
diff --git a/raddb/mods-config/attr_filter/accounting_response b/raddb/mods-config/attr_filter/accounting_response
new file mode 100644
index 0000000..01e9c6f
--- /dev/null
+++ b/raddb/mods-config/attr_filter/accounting_response
@@ -0,0 +1,16 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id$
+#
+#	This configuration file is used to remove almost all of the attributes
+#	From an Accounting-Response message.  The RFC's say that an
+#	Accounting-Response packet can contain only a few attributes.
+#	We enforce that here.
+#
+DEFAULT
+	Vendor-Specific =* ANY,
+	Message-Authenticator =* ANY,
+	Error-Cause =* ANY,
+	Proxy-State =* ANY
diff --git a/raddb/mods-config/attr_filter/coa b/raddb/mods-config/attr_filter/coa
new file mode 100644
index 0000000..89cea2e
--- /dev/null
+++ b/raddb/mods-config/attr_filter/coa
@@ -0,0 +1,22 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id$
+#
+#	This configuration file is used to remove attributes From an
+#	CoA-Request or Disconnect-Request message.  We have specified
+#	a sample list here.  This will have to be modified to add
+#	attributes needed by your local configuration.
+#
+DEFAULT
+	User-Name =* ANY,
+	NAS-IP-Address =* ANY,
+	NAS-IPv6-Address =* ANY,
+	NAS-Port =* ANY,
+	NAS-Identifier =* ANY,
+	NAS-Port-Type =* ANY,
+	Calling-Station-Id =* ANY,
+	State =* ANY,
+	Message-Authenticator =* ANY,
+	Proxy-State =* ANY
diff --git a/raddb/mods-config/attr_filter/post-proxy b/raddb/mods-config/attr_filter/post-proxy
new file mode 100644
index 0000000..169fe5c
--- /dev/null
+++ b/raddb/mods-config/attr_filter/post-proxy
@@ -0,0 +1,121 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id$
+#
+#	This file contains security and configuration information
+#	for each realm. The first field is the realm name and
+#	can be up to 253 characters in length. This is followed (on
+#	the next line) with the list of filter rules to be used to
+#	decide what attributes and/or values we allow proxy servers
+#	to pass to the NAS for this realm.
+#
+#	When a proxy-reply packet is received from a home server,
+#	these attributes and values are tested. Only the first match
+#	is used unless the "Fall-Through" variable is set to "Yes".
+#	In that case the rules defined in the DEFAULT case are
+#	processed as well.
+#
+#	A special realm named "DEFAULT" matches on all realm names.
+#	You can have only one DEFAULT entry. All entries are processed
+#	in the order they appear in this file. The first entry that
+#	matches the login-request will stop processing unless you use
+#	the Fall-Through variable.
+#
+#	Indented (with the tab character) lines following the first
+#	line indicate the filter rules.
+#
+#	You can include another `attrs' file with `$INCLUDE attrs.other'
+#
+
+#
+# This is a complete entry for realm "fisp". Note that there is no
+# Fall-Through entry so that no DEFAULT entry will be used, and the
+# server will NOT allow any other a/v pairs other than the ones
+# listed here.
+#
+# These rules allow:
+#     o  Only Framed-User Service-Types ( no telnet, rlogin, tcp-clear )
+#     o  PPP sessions ( no SLIP, CSLIP, etc. )
+#     o  dynamic ip assignment ( can't assign a static ip )
+#     o  an idle timeout value set to 600 seconds (10 min) or less
+#     o  a max session time set to 28800 seconds (8 hours) or less
+#
+#fisp
+#	Service-Type == Framed-User,
+#	Framed-Protocol == PPP,
+#	Framed-IP-Address == 255.255.255.254,
+#	Idle-Timeout <= 600,
+#	Session-Timeout <= 28800
+
+#
+# This is a complete entry for realm "tisp". Note that there is no
+# Fall-Through entry so that no DEFAULT entry will be used, and the
+# server will NOT allow any other a/v pairs other than the ones
+# listed here.
+#
+# These rules allow:
+#       o Only Login-User Service-Type ( no framed/ppp sessions )
+#       o Telnet sessions only ( no rlogin, tcp-clear )
+#       o Login host of 192.0.2.1
+#
+#tisp
+#	Service-Type == Login-User,
+#	Login-Service == Telnet,
+#	Login-TCP-Port == 23,
+#	Login-IP-Host == 192.0.2.1
+
+#
+# The following example can be used for a home server which is only
+# allowed to supply a Reply-Message, a Session-Timeout attribute of
+# maximum 86400, a Idle-Timeout attribute of maximum 600 and a
+# Acct-Interim-Interval attribute between 300 and 3600.
+# All other attributes sent back will be filtered out.
+#
+#strictrealm
+#	Reply-Message =* ANY,
+#	Session-Timeout <= 86400,
+#	Idle-Timeout <= 600,
+#	Acct-Interim-Interval >= 300,
+#	Acct-Interim-Interval <= 3600
+
+#
+# This is a complete entry for realm "spamrealm". Fall-Through is used,
+# so that the DEFAULT filter rules are used in addition to these.
+#
+# These rules allow:
+#       o Force the application of Filter-ID attribute to be returned
+#         in the proxy reply, whether the proxy sent it or not.
+#       o The standard DEFAULT rules as defined below
+#
+#spamrealm
+#	Framed-Filter-Id := "nosmtp.in",
+#	Fall-Through = Yes
+
+#
+# The rest of this file contains the DEFAULT entry.
+# DEFAULT matches with all realm names. (except if the realm previously
+# matched an entry with no Fall-Through)
+#
+
+DEFAULT
+	Framed-IP-Address == 255.255.255.254,
+	Framed-IP-Netmask == 255.255.255.255,
+	Framed-MTU >= 576,
+	Framed-Filter-ID =* ANY,
+	Reply-Message =* ANY,
+	Proxy-State =* ANY,
+	EAP-Message =* ANY,
+	Message-Authenticator =* ANY,
+	MS-MPPE-Recv-Key =* ANY,
+	MS-MPPE-Send-Key =* ANY,
+	MS-CHAP-MPPE-Keys =* ANY,
+	State =* ANY,
+	Session-Timeout <= 28800,
+	Idle-Timeout <= 600,
+	Calling-Station-Id =* ANY,
+	Operator-Name =* ANY,
+	User-Name =* ANY,
+	Chargeable-User-Identity =* ANY,
+	Port-Limit <= 2
diff --git a/raddb/mods-config/attr_filter/pre-proxy b/raddb/mods-config/attr_filter/pre-proxy
new file mode 100644
index 0000000..36d84e8
--- /dev/null
+++ b/raddb/mods-config/attr_filter/pre-proxy
@@ -0,0 +1,67 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id$
+#
+#	This file contains security and configuration information
+#	for each realm. It can be used be an rlm_attr_filter module
+#	instance to filter attributes before sending packets to the
+#	home server of a realm.
+#
+#	When a packet is sent to a home server, these attributes
+#	and values are tested. Only the first match is used unless
+#	the "Fall-Through" variable is set to "Yes". In that case
+#	the rules defined in the DEFAULT case are processed as well.
+#
+#	A special realm named "DEFAULT" matches on all realm names.
+#	You can have only one DEFAULT entry. All entries are processed
+#	in the order they appear in this file. The first entry that
+#	matches the login-request will stop processing unless you use
+#	the Fall-Through variable.
+#
+#	The first line indicates the realm to which the rules apply.
+#	Indented (with the tab character) lines following the first
+#	line indicate the filter rules.
+#
+
+# This is a complete entry for 'nochap' realm. It allows to send very
+# basic attributes to the home server. Note that there is no Fall-Through
+# entry so that no DEFAULT entry will be used. Only the listed attributes
+# will be sent in the packet, all other attributes will be filtered out.
+#
+#nochap
+#	User-Name =* ANY,
+#	User-Password =* ANY,
+#	NAS-IP-Address =* ANY,
+#	NAS-Identifier =* ANY
+
+# The entry for the 'brokenas' realm removes the attribute NAS-Port-Type
+# if its value is different from 'Ethernet'. Then the default rules are
+# applied.
+#
+#brokenas
+#	NAS-Port-Type == Ethernet
+#	Fall-Through = Yes
+
+# The rest of this file contains the DEFAULT entry.
+# DEFAULT matches with all realm names.
+
+DEFAULT
+	User-Name =* ANY,
+	User-Password =* ANY,
+	CHAP-Password =* ANY,
+	CHAP-Challenge =* ANY,
+	MS-CHAP-Challenge =* ANY,
+	MS-CHAP-Response =* ANY,
+	EAP-Message =* ANY,
+	Message-Authenticator =* ANY,
+	State =* ANY,
+	NAS-IP-Address =* ANY,
+	NAS-Identifier =* ANY,
+	Operator-Name =* ANY,
+	Calling-Station-Id =* ANY,
+	Called-Station-Id =* ANY,
+	Operator-Name =* ANY,
+	Chargeable-User-Identity =* ANY,
+	Proxy-State =* ANY