[1838] in WWW Security List Archive
Re: Cisco access control
daemon@ATHENA.MIT.EDU (Rick Hicks)
Thu Apr 18 02:18:29 1996
Date: Wed, 17 Apr 1996 22:00:05 -0500
To: John Halperin <JXH@slac.stanford.edu>
From: rhicks@MO.NET (Rick Hicks)
Cc: jmmc@et.mohave.cc.az.us, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 01:27 AM 4/17/96 -0700, John Halperin wrote:
>> This alone will not do it. After a tcp connection has been established (ACK
>> bit set and SYN number given) the hosts communicate on random ports of 1024
>> and above. If you do not allow communications for those ports it will fail.
>
>Not really -- reread RFC 793 (TCP), Comer, or Stevens. The port numbers
>don't change from the first SYN packet to the last FIN-ACK packet.
Correct - perhaps my language was ambiguous. I was refering to the
*initial* selection of a random port above 1023 when the connection is first
established, not for each packet sent. After this initial selection the
session will then continue to use that same port as you stated.
>There's also been some confusion about the "established" keyword in Cisco
>ACLs. You only need an "established" rule in an IN ACL when the inside
>machines need to _initiate_ TCP connections through the router (i.e, act
>as clients) and these inside clients bind to ephemeral port numbers
>(1024-5000) or some other port numbers which are not otherwise permitted
>by the router access rules. Thus, in the example above, you'd need an
>"established" rule for your mail-host machine if its SMTP daemon had to
>send mail to the outside as well as receive it.
I disagree. 'Established' investigates the ACK bit, which is only set
*after* the connection is initiated. At that point the connection will also
be using ports above 1023; meaning that there is no need for 'established'
connections to be sent to port 25 (SMTP).
Comments are welcome, I'm always ready to learn more.
Rick
__________________________________
Rick Hicks
System Specialist
Hussmann Corporation
