On Tue, 2 Feb 1999, Jeremy Tinkler wrote:
> Is it technically possible to set up the router so that system A can
> telnet (and preferably ftp) to system B, but not vice versa? That is,
> we want to be able to login to B from A, but make sure nobody using B
> can get into A. We have not been able to work out how to do it because
Sure, just make sure that only TCP packets with the ACK bit set (Cisco
uses the "established" keyword for this) can go from B to A, you restrict
it to source ports in the 1024-32768 (or higher if necessary) range as
well, but if it can't send non-ACK'd packets it can't initiate a connection.
You may wish to force PASV mode FTP so that it's consistant in direction
of connection.
> the telnet/ftp "reply" port numbers are not fixed.
> If not with this setup, is there any way at all that this can be
> achieved?
You should also add the same protections using tcpwrappers to each host,
that way you're not relying on a single protection mechanism.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
