[120872] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: I don't need no stinking firewall!

daemon@ATHENA.MIT.EDU (Jay Hennigan)
Tue Jan 5 16:22:49 2010

Date: Tue, 05 Jan 2010 13:18:47 -0800
From: Jay Hennigan <jay@west.net>
To: nanog@nanog.org
In-Reply-To: <AFD31EAF2DD7F346AA17E164615555B0321B3280@SVR-AMED-MAIL01.amedisys.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

Jason Shearer wrote:
> Doesn't using the established allow any packet with ACK/RST set 

Yes, as would be expected for legitimate return traffic for a TCP 
connection initiated from a browser inside the firewall.

> and wouldn't you have to allow all high ports?

That's what the ">" is for.  Cisco syntax "gt" (greater than).

The point is that either of these will deny unsolicited new connection 
attempts from the outside to TCP 22 (and 445, 135, etc.)

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV


home help back first fref pref prev next nref lref last post