[1836] in WWW Security List Archive
Re: Cisco access control
daemon@ATHENA.MIT.EDU (Antonio Vasconcelos)
Wed Apr 17 18:15:57 1996
Date: Wed, 17 Apr 1996 19:56:05 GMT
To: rhicks@MO.NET, www-security@ns2.rutgers.edu
From: Antonio Vasconcelos <vasco@bvl.pt>
Errors-To: owner-www-security@ns2.rutgers.edu
At 22:01 16-04-1996 -0500, you wrote:
>When a tcp connection sets up it will set the ACK bit (which 'established'
>checks) and give the client both a SYN number and a random port above 1023
>to communicate with. All communications are then completed via these random
>ports above 1023 for that session. You can just allow packets above 1023 to
>pass or you can only pass 'established' packets. I prefer to pass only
>'established' packets; it seems safer and I hear that some Windows clients
>don't obey the port > 1023 rule - the fools ;-)
I know that's the idea, but I have clients calling a cisco terminal server
with an acl without the 'established' lines and accessing a SQL server with
no problem at all...
--
regards,
Antonio Vasconcelos @ The Lisbon $tock Exchange
..........................................................
vasco@bvl.pt, vasco@individual.puug.pt, postmaster@bvl.pt,
webmaster@bvl.pt, http://www.bvl.pt:8080/~vasco
..........................................................
TEL: +351-1-790-9904 Bolsa de Valores de Lisboa
FAX: +351-1-795-2026 R. Soeiro Pereira Gomes
1600 LISBOA
http://www.bvl.pt/ PORTUGAL
..........................................................
All opinions are my own, my employer thinks I'm working
..........................................................
