It's an up for grabs thing. With "established", that would only permit things that went through the 3-way handshake already. Or spoofed stuff, which while possible in reality, that's more a CCIE Security quandary.
Your solution would work, and would be more elegant if we were talking about only passive FTP and not anything that allowed for port-hopping. Just my thoughts, Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE #153, CISSP, et al. CCSI/JNCI-M/JNCI-J IPExpert VP - Curriculum Development IPExpert Sr. Technical Instructor [EMAIL PROTECTED] http://www.ipexpert.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gavin Lawson Sent: Sunday, October 29, 2006 7:02 PM To: [email protected] Subject: [OSL | CCIE_RS] WB8.0 Lab 9.2 The part where we want to allow the FTP servers to work for clients not on subnet 10.1.1.0/24 The workbook Proctor Guide's solution is Permit tcp 10.1.1.0 0.0.0.255 any established Where wouldn't the below be better? permit tcp 10.1.1.0 0.0.0.255 eq ftp-data any permit tcp 10.1.1.0 0.0.0.255 eq ftp any Especially since the last requirement is "All other traffic should be denied at the earliest point" The proctor Guide solution would allow other traffic?? GL
