[1835] in WWW Security List Archive
Re: Cisco access control
daemon@ATHENA.MIT.EDU (Alan Batie)
Wed Apr 17 17:02:44 1996
From: batie@aahz.jf.intel.com (Alan Batie)
To: JXH@slac.stanford.edu (John Halperin)
Date: Wed, 17 Apr 1996 10:35:10 -0700 (PDT)
Cc: rhicks@MO.NET, jmmc@et.mohave.cc.az.us, www-security@ns2.rutgers.edu
In-Reply-To: <199604170827.BAA22159@unixhub.SLAC.Stanford.EDU> from "John Halperin" at Apr 17, 96 01:27:07 am
Errors-To: owner-www-security@ns2.rutgers.edu
Since there seems to be much confusion, I thought I'd add my 2 cents worth;
the port > 1024 issue only applies to FTP when not used in passive mode,
because ftp servers open a separate data connection to do the file transfer
in that case. Most other protocols, SMTP and HTTP in particular, use the
initial connection for the transfer, so here is a sample pair of access
lists:
!
! Because configurations are additive, first you want to erase anything
! already there
!
no access-list 101
!
! Because access lists are searched sequentially, you put in the established
! clause first to speed up the common case of packets that come after the
! first connection setup (SYN) packet. If the SYN packet is blocked, the
! following packets can't do anything and if the SYN packet is authorized,
! so is are the rest of them.
!
! www.xxx.yyy.zzz is the source IP address you are allowing; 0.0.0.0 is the
! mask applied to it. A '1' in the mask is a wild card. Thus, the following
! allows packets from any host to make connections to the specific host
! www.xxx.yyy.zzz for connections that have already been setup.
!
! This access list applies to a local net interface, because the filter
! rules are applied to packets which are about to be *sent*, not to packets
! as they are *received*.
!
access-list 101 permit tcp 0.0.0.0 255.255.255.255 www.xxx.yyy.zzz 0.0.0.0 established
! Allow SMTP (TCP port 25) only to www.xxx.yyy.zzz
access-list 101 permit tcp 0.0.0.0 255.255.255.255 www.xxx.yyy.zzz 0.0.0.0 eq 25
! Allow HTTP (TCP port 80) only to www.xxx.yyy.zzz
access-list 101 permit tcp 0.0.0.0 255.255.255.255 www.xxx.yyy.zzz 0.0.0.0 eq 80
! Everything else is implicitly denied
!
! Because configurations are additive, first you want to erase anything
! already there
!
no access-list 102
!
! Because access lists are searched sequentially, you put in the established
! clause first to speed up the common case of packets that come after the
! first connection setup (SYN) packet. If the SYN packet is blocked, the
! following packets can't do anything and if the SYN packet is authorized,
! so is are the rest of them.
!
! www.xxx.yyy.zzz is the source IP address you are allowing; 0.0.0.255 is the
! mask applied to it. A '1' in the mask is a wild card. Thus, the following
! allows packets from any host on class C net www.xxx.yyy.0 to any destination
! for connections that have already been setup.
!
! This access list applies to the interface connecting you to the untrusted
! world, because the filter rules are applied to packets which are about to
! be *sent*, not to packets as they are *received*.
!
access-list 102 permit tcp www.xxx.yyy.zzz 0.0.0.255 0.0.0.0 255.255.255.255 established
! Allow SMTP (TCP port 25) only from Class C net www.xxx.yyy.0 to anywhere
access-list 102 permit tcp www.xxx.yyy.zzz 0.0.0.255 0.0.0.0 255.255.255.255 eq 25
! Allow HTTP (TCP port 80) only from Class C net www.xxx.yyy.0 to anywhere
access-list 102 permit tcp www.xxx.yyy.zzz 0.0.0.255 0.0.0.0 255.255.255.255 eq 80
! Everything else is implicitly denied
--
Alan Batie ------ What goes up, must come down.
batie@aahz.jf.intel.com \ / Ask any system administrator.
+1 503-264-8844 (voice) \ / --unknown
D0 D2 39 0E 02 34 D6 B4 \/ 5A 41 21 8F 23 5F 08 9D
