On 03/09/2000 at 14:38:05 CST, "Eric Johnson" <[EMAIL PROTECTED]> wrote:
> On 9 Mar 00, at 15:24, John Adams wrote:
> > deny ip 192.168.0.0 0.0.255.255 any log
> > permit tcp any any lt 1024 established
>
> Wouldn't locating the permit any established at the start of the list
> be far more efficient?
It might be slightly more efficient, but it would also have undesirable
side effects. Remember that IOS access lists are processed until the first
match is found. With the example shown, it would allow any tcp packet from
the rfc1918 address range that has the ACK or RST bit (the meaning of
"established") to a port less than 1024. Clearly that is not what is
wanted.
Tony Rall
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
