[Previous] [Next] [Index]
[Thread]
Re: Cisco access control
rhicks@MO.NET wrote:
> At 12:02 AM 4/16/96 -0700, Josh McIver wrote:
> > I believe that it would look like this.
> >
> >access-list 101 permit tcp any host 255.255.255.255 eq 25
> >access-list 101 permit tcp any host 255.255.255.255 eq 80
> >
> > This would permit tcp packets from any host to go to port 25 and
> >port 80 of machine 255.255.255.255.
"255.255.255.255", the broadcast address, may not be the best example
to use for a host IP address :-)
> >Everything else is denied
> >implicitly(sp?). You would then apply it as a inbound filter on you
> >incoming port.
>
> This alone will not do it. After a tcp connection has been established (ACK
> bit set and SYN number given) the hosts communicate on random ports of 1024
> and above. If you do not allow communications for those ports it will fail.
Not really -- reread RFC 793 (TCP), Comer, or Stevens. The port numbers
don't change from the first SYN packet to the last FIN-ACK packet.
There's also been some confusion about the "established" keyword in Cisco
ACLs. You only need an "established" rule in an IN ACL when the inside
machines need to _initiate_ TCP connections through the router (i.e, act
as clients) and these inside clients bind to ephemeral port numbers
(1024-5000) or some other port numbers which are not otherwise permitted
by the router access rules. Thus, in the example above, you'd need an
"established" rule for your mail-host machine if its SMTP daemon had to
send mail to the outside as well as receive it.
--
John Halperin <jxh@SLAC.Stanford.Edu>
SLAC Network Group (Stanford Linear Accelerator Center)
Follow-Ups:
References: