Hi,
I think it's a good choice using additionaly
refelxive access-lists in
this case (I'm not sure if the IOS >= 11.3 is
running on an 1605). This
feature allwos only packets associated with an
established connection.
So nobody can send packets to your system A until
there is an established
connection.
Martin
--
[EMAIL PROTECTED]
>Date: Tue, 2 Feb 1999 10:18:52 -0500 (EST)
>From: "Paul D. Robertson" <[EMAIL PROTECTED]>
>Subject: Re: One-way telnet
>
>On Tue, 2 Feb 1999, Jeremy Tinkler wrote:
>
>> Is it technically possible to set up the router so that system A can
>> telnet (and preferably ftp) to system B, but not vice versa? That is,
>> we want to be able to login to B from A, but make sure nobody using B
>> can get into A. We have not been able to work out how to do it because
>
>Sure, just make sure that only TCP packets with the ACK bit set (Cisco
>uses the "established" keyword for this) can go from B to A, you restrict
>it to source ports in the 1024-32768 (or higher if necessary) range as
>well, but if it can't send non-ACK'd packets it can't initiate a connection.
>
>You may wish to force PASV mode FTP so that it's consistant in direction
>of connection.
>
>> the telnet/ftp "reply" port numbers are not fixed.
>> If not with this setup, is there any way at all that this can be
>> achieved?
>
>You should also add the same protections using tcpwrappers to each host,
>that way you're not relying on a single protection mechanism.
>
>Paul
>- -----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>[EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
