That's a good conceptual explanation. I would add that technically, it allows TCP packets that have the ACK bit set. In other words, it allows packets that are acknowledging another packet. That means it would not allow an incoming SYN used to set up a session, but it would allow a reply to a SYN that already happened.
Priscilla At 06:26 PM 2/21/02, David Jones wrote: >Justin, > >This is typically used in an Internet/NAT situation where you are allowing >something from the Internet to come back in, only if it's a reply to a >request that originated from inside your network. For instance, with a >router connected to the Internet, you typically want an access-list applied >to your Internet-facing port that denies incoming traffic, as you don't want >them trying to walk all over your router or network. However, this same >access list will drop valid replies to requests from clients inside your >network, i.e. http replies, etc. > >With the 'established' option, you can tell the router with access lists >"drop everything inbound from the Internet, except replies to requests made >from inside my network". > >Typically, people do this because they don't want to pay for a firewall, but >this isn't the best thing to do. If you need to set this up for someone for >Internet access, you need to dig a little deeper into it because if my >memory serves me right, this command may or may not work with UDP traffic >and only TCP traffic. I'm not sure and might be totally wrong, so you need >to check. > >Hope this helps, > >Dave ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36147&t=36124 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
