At 05:30 PM 3/9/00 +0100, you wrote:
> > access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3
> > 0.0.0.0 gt 1023
> > access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3
> > 0.0.0.0 gt 1023
> > access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3
> > 0.0.0.0 eq 22
> > access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3
> > 0.0.0.0 eq 25
> > access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3
> > 0.0.0.0 eq 53
> > access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3
> > 0.0.0.0 eq 53
>
> > I initially placed this list on the serial connection, which is the
> > incoming isdn. I had defined it as 'ip access-group 102 in', which
> > promptly cut off all access. I then placed it on the
> > ethernet port as 'ip
> > access-group 102 out', which appears to work as it should.
> >
> > Questions:
> >
> > 1. Why did the first definition not work? I would have
> > thought either
> > definition would work the same.
> >
>you denied everything incoming that is standard TCP/IP, so you were able to
>send packets; but unable to receive any responses
>permit tcp gt 1023
>but at the end there is always an implicit deny !!!!
But, my first two rules allow responses.
If I think of it this way:
e0 serial0
FW<----------------[Cisco 2501]<----------------Internet
ip access-group 102 out ip access-group 102 in
Arrows indicate direction of packet flow. ie: they illustrate packets
arriving via the serial interface, and leaving via the ethernet interface
(obviously, they flow in both directions, but I'm not concerned with
outbound flow). The two definitions should have been identical, wouldn't
they? On the serial interface, the list would have matched incoming
packets, and on the ethernet interface, the list would match outgoing
packets. What is the difference?
> > 2. What am I missing here? What else I should include (as a
> > rule), and why?
>don't really know what you're meaning here, it works doesn't it ?
>you allow responses from you e0 to the net, for those packets that you
>received !
I don't profess to know everything, hence my asking for a peer review of my
implementation. If all I need is what I've listed above, then great. I'd
rather have too much info, than too little.
>it's also better to use the established keyword, so you can establish a
>connection from the e0 to the internet; but not vice versa !!!!!
What would the 'established' keyword do for me? I didn't really understand
what the docs were referring to when that keyword was mentioned. Does it
mean connections that are currently underway when the list is activated?
Cheers!
JOn
-----------------------------------------------------------------
Jon Earle (613) 612-0946 (Cell)
HUB Computer Consulting Inc. (613) 830-1499 (Office)
http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
"God does not subtract from one's alloted time on Earth,
those hours spent flying." --Unknown
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
