[1833] in WWW Security List Archive
Re: Cisco access control
daemon@ATHENA.MIT.EDU (John Halperin)
Wed Apr 17 07:29:45 1996
Date: Wed, 17 Apr 1996 01:27:07 -0700 (PDT)
From: John Halperin <JXH@slac.stanford.edu>
In-reply-to: <199604170252.VAA28046@Walden.MO.NET> (rhicks@MO.NET)
To: rhicks@MO.NET
Cc: jmmc@et.mohave.cc.az.us, www-security@ns2.rutgers.edu
X-Envelope-to: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
rhicks@MO.NET wrote:
> At 12:02 AM 4/16/96 -0700, Josh McIver wrote:
> > I believe that it would look like this.
> >
> >access-list 101 permit tcp any host 255.255.255.255 eq 25
> >access-list 101 permit tcp any host 255.255.255.255 eq 80
> >
> > This would permit tcp packets from any host to go to port 25 and
> >port 80 of machine 255.255.255.255.
"255.255.255.255", the broadcast address, may not be the best example
to use for a host IP address :-)
> >Everything else is denied
> >implicitly(sp?). You would then apply it as a inbound filter on you
> >incoming port.
>
> This alone will not do it. After a tcp connection has been established (ACK
> bit set and SYN number given) the hosts communicate on random ports of 1024
> and above. If you do not allow communications for those ports it will fail.
Not really -- reread RFC 793 (TCP), Comer, or Stevens. The port numbers
don't change from the first SYN packet to the last FIN-ACK packet.
There's also been some confusion about the "established" keyword in Cisco
ACLs. You only need an "established" rule in an IN ACL when the inside
machines need to _initiate_ TCP connections through the router (i.e, act
as clients) and these inside clients bind to ephemeral port numbers
(1024-5000) or some other port numbers which are not otherwise permitted
by the router access rules. Thus, in the example above, you'd need an
"established" rule for your mail-host machine if its SMTP daemon had to
send mail to the outside as well as receive it.
--
John Halperin <jxh@SLAC.Stanford.Edu>
SLAC Network Group (Stanford Linear Accelerator Center)
