> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 11:24 AM
> To: Mark Andrich
> Cc: [EMAIL PROTECTED]
> Subject: Re: Filters and DMZ's basic questions.....
>
>
>
> Mark,
>
> 1. If you are looking at just using the router ACLs and not getting
> something like a PIX or the IOS firewall stuff then you are
> going to have
> to have a lot of open ports. One way to do this is allow all
> TCP and UDP
> ports above 1024 and deny all TCP and UDP ports below 1024
> except specific
> ports. This still leaves a pretty big hole. Your best bet
> would be to get
> something with firewall functionality. If you don't have any money
to
> spend on this you could look at IPFilter, IPFW, IPChains, or
> any of the
> other free firewalls. They can do stuff like this.
The basic feature set in IOS 12 will allow you to do
established/reflexive access lists. These will allow you to at least
keep session-state for TCP. I don't think you need Firewall Feature
Set unless you want CBAC.
Henry
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
