[1837] in WWW Security List Archive
Re: Cisco access control
daemon@ATHENA.MIT.EDU (Rick Hicks)
Wed Apr 17 20:57:44 1996
Date: Wed, 17 Apr 1996 17:22:51 -0500 (CDT)
From: Rick Hicks <rhicks@MO.NET>
To: John Halperin <JXH@slac.stanford.edu>
cc: jmmc@et.mohave.cc.az.us, www-security@ns2.rutgers.edu
In-Reply-To: <199604170827.BAA22159@unixhub.SLAC.Stanford.EDU>
Errors-To: owner-www-security@ns2.rutgers.edu
OOOOPS! Was that me?
On Wed, 17 Apr 1996, John Halperin wrote:
> rhicks@MO.NET wrote:
>
> > At 12:02 AM 4/16/96 -0700, Josh McIver wrote:
> > > I believe that it would look like this.
> > >
> > >access-list 101 permit tcp any host 255.255.255.255 eq 25
> > >access-list 101 permit tcp any host 255.255.255.255 eq 80
> > >
> > > This would permit tcp packets from any host to go to port 25 and
> > >port 80 of machine 255.255.255.255.
>
> "255.255.255.255", the broadcast address, may not be the best example
> to use for a host IP address :-)
>
> > >Everything else is denied
> > >implicitly(sp?). You would then apply it as a inbound filter on you
> > >incoming port.
> >
> > This alone will not do it. After a tcp connection has been established (ACK
> > bit set and SYN number given) the hosts communicate on random ports of 1024
> > and above. If you do not allow communications for those ports it will fail.
>
> Not really -- reread RFC 793 (TCP), Comer, or Stevens. The port numbers
> don't change from the first SYN packet to the last FIN-ACK packet.
>
> There's also been some confusion about the "established" keyword in Cisco
> ACLs. You only need an "established" rule in an IN ACL when the inside
> machines need to _initiate_ TCP connections through the router (i.e, act
> as clients) and these inside clients bind to ephemeral port numbers
> (1024-5000) or some other port numbers which are not otherwise permitted
> by the router access rules. Thus, in the example above, you'd need an
> "established" rule for your mail-host machine if its SMTP daemon had to
> send mail to the outside as well as receive it.
>
> --
> John Halperin <jxh@SLAC.Stanford.Edu>
> SLAC Network Group (Stanford Linear Accelerator Center)
>
