What is strange about it is that I can't tell where 214.3.2.50 is in
relation to the router interface on which this list is applied.
The first two lines allow tcp connections on ports between 6000 and 6063
both TO and FROM host 214.3.2.50.
Which direction is this list applied, and on which interface?
Say for argument that it is an incoming list on int s0. Let's say that host
214.3.2.50 opens a tcp connection on port 6001 to some host not on its local
subnet. The packet will hit int s0, and be subject to the list. It matches
line one, and so it is permitted. The intended recipient receives the
message, and replies. Without even going into which port the reply is sent
to, is it true that the reply will ALSO COME INTO s0? If not, then why
permit traffic TO as well as FROM? Is host 214.3.2.50 a server that is one
of many offering services on ports 6000 - 6063?
OR - is this list applied to multiple interfaces and for simplicity's sake
includes entries for either direction? Hmmm...
By the way, lines 4 and 6 are identical. Maybe line 6 was intended to filter
UDP?
Other than lines 4 and 6, this list is not redundant, but without seeing a
drawing I have to say that depending on how many interfaces it is applied to
and what direction(s) it is applied, I am not sure that this list does what
the author thinks it does...
Does that help?
Dale
[=`)
>From: "Deloso, Elmer G." <[EMAIL PROTECTED]>
>Reply-To: "Deloso, Elmer G." <[EMAIL PROTECTED]>
>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>Subject: Easier way to do Access-lists
>Date: Thu, 17 Aug 2000 13:59:16 -0400
>
>Hi, group.
>Below is a sample ACL, and I need to find out if there's an easier way to
>input
>these seemingly redundant entries. Thanks.
>access-list 111 permit tcp host 214.3.1.50 any range 6000 6063 log
>access-list 111 permit tcp any host 214.3.1.50 range 6000 6063 log
>access-list 111 permit tcp host 214.3.1.50 any eq 161 log
>access-list 111 permit tcp any host 214.3.1.50 eq 161 log
>access-list 111 permit udp host 214.3.1.50 any eq 161 log
>access-list 111 permit tcp any host 214.3.1.50 eq 161 log
>access-list 111 deny ip 211.0.0.0 0.255.255.255 any log
>access-list 111 deny ip 212.0.0.0 0.255.255.255 any log
>access-list 111 permit ip any any
>
>Elmer
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
