Footnote - I believe this would also permit 'crafted' packets with the ack bit set ... which is why a good firewall is better .
Thanks! TJ -----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 8:25 PM To: [EMAIL PROTECTED] Subject: RE: Access list question [7:36124] That's a good conceptual explanation. I would add that technically, it allows TCP packets that have the ACK bit set. In other words, it allows packets that are acknowledging another packet. That means it would not allow an incoming SYN used to set up a session, but it would allow a reply to a SYN that already happened. Priscilla At 06:26 PM 2/21/02, David Jones wrote: >Justin, > >This is typically used in an Internet/NAT situation where you are allowing >something from the Internet to come back in, only if it's a reply to a >request that originated from inside your network. For instance, with a >router connected to the Internet, you typically want an access-list applied >to your Internet-facing port that denies incoming traffic, as you don't want >them trying to walk all over your router or network. However, this same >access list will drop valid replies to requests from clients inside your >network, i.e. http replies, etc. > >With the 'established' option, you can tell the router with access lists >"drop everything inbound from the Internet, except replies to requests made >from inside my network". > >Typically, people do this because they don't want to pay for a firewall, but >this isn't the best thing to do. If you need to set this up for someone for >Internet access, you need to dig a little deeper into it because if my >memory serves me right, this command may or may not work with UDP traffic >and only TCP traffic. I'm not sure and might be totally wrong, so you need >to check. > >Hope this helps, > >Dave ________________________ Priscilla Oppenheimer http://www.priscilla.com ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36206&t=36124 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
