Paul D. Robertson wrote:
> On Tue, 2 Feb 1999, Jeremy Tinkler wrote:
>
> > Is it technically possible to set up the router so that system A can
> > telnet (and preferably ftp) to system B, but not vice versa? That is,
> > we want to be able to login to B from A, but make sure nobody using B
> > can get into A. We have not been able to work out how to do it because
>
> Sure, just make sure that only TCP packets with the ACK bit set (Cisco
> uses the "established" keyword for this) can go from B to A, you restrict
> it to source ports in the 1024-32768 (or higher if necessary) range as
> well, but if it can't send non-ACK'd packets it can't initiate a connection.
>
Canned configuration:
access-list xxx permit tcp host A host B eq telnet
access-list xxx permit tcp host B eq telnet host A gt 1023 established
access-list xxx permit tcp host A host B eq ftp
access-list xxx permit tcp host B host A ftp-data
access-list xxx deny ip any any
Regards,
--
K�re Presttun, Security Officer, Alcanet International
------------------------------------------------------
Tel : +47 2263 7601 mailto:[EMAIL PROTECTED]
Fax : +47 2263 8887 http://www.alcatel.no/
Mobile: +47 9082 7068 Private mailto:[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
