Hi all,
I apologize for adding to the confusion :-) I haven't used Cisco
ACLs in some time, and I mistakenly assumed that they had a "setup"
keyword to filter on the absence of the ACK bit, meaning the same
thing as "not established" (as does ipfw as used in FreeBSD).
Upon digging out my (old) Cisco docs, there appears to be only
the "established" keyword to filter on the presence of ACK and/or
RST bits, and no way to specify "not established". I haven't checked
to see if more recent Cisco ACLs have other options.
Without the ability to filter on either "setup" or "not established",
Lisa's suggestion in another post would be the correct approach:
> access-list 101 permit tcp any any range 40000 45000 established
> (permit traffic streams that have been initiated from 'inside')
> access-list 101 deny tcp any any range 40000 45000 log
> (deny initial attempts to this range and log them)
> access-list 101 permit ip any any
> (permit all else IP)
Again, sorry for the confusion...
Carol
Lisa Napier wrote:
>
> Hi all,
>
> Many times there are different ways to write an access list. So I checked
> this out. I couldn't find a reference to the 'setup' keyword. The thought
> process is correct though, and I think the keyword that is meant is
> 'established', a 'setup' keyword would just be a reverse of what I
> suggested - 'not established'. If there is indeed a 'setup' keyword, that
> I missed, please let me know what version it is in, and I'll take back my
> comments, and go re-read my documentation again.
>
> Thanks,
>
> Lisa Napier
> Product Security Incident Response Team
> Cisco Systems
>
> At 12:40 PM 11/17/1999 -0600, Carol Deihl wrote:
> >Hi Charlie,
> >
> >There are two sides to every TCP conversation. In the normal situation,
> >the web browser initiates with a message from a high port (1024 or
> >higher) to the destination on port 80. The web server replies back
> >from its port 80 to the browser computer's original port.
> >
> >Your "deny" is dropping those replies, since it doesn't distinguish
> >between replies in an ongoing connection and messages to
> >initiate a new connection.
> >
> >If you are trying to block outsiders from initiating new connections
> >to those high ports, you'll want to add "setup" at the end of the
> >"deny" rule. Or, be more general, and say something like
> >
> > access-list 101 deny tcp any any gt 1023 setup log
> >
> >(I believe this is the Cisco syntax - check your docs to be sure).
> >
> >Hope this helps.
> >
> >Carol
> >
> >"Engasser, Charlie" wrote:
> > >
> > > I have a combo question.
> > >
> > > I am running Firewall-1 3.0b 3048, and my router is a Cisco 2611
> > > running 12.0.6t.
> > >
> > > We are getting alot of chatter traffic on high ports above 30k
> > > coming inbound that appear to be associated with web browsing. The
> > > firewall blocks this traffic, and everything works fine. However if I
> > > create an ACL on the router that denys the traffic such as:
> > >
> > > on ser 0/1:
> > >
> > > access-list 101 in
> > >
> > > access-list 101 deny tcp any any range 40000 45000 log
> > > access-list 101 permit ip any any
> > >
> > > Then the traffic stops flowing.
> > >
> > > can anyone explain this?
> > >
> > > Charles Engasser
> > > Contracted Network Engineer
> > > Joint STARS; Joint Test Force.
> > > SC; Titan Inc.
> > > (407) or (321) 726-7048
> > > (407) or (321) 726-7243 (fax)
--
Carol Deihl - principal, Shrier and Deihl - mailto:[EMAIL PROTECTED]
Remote Unix Network Admin, Security, Internet Software Development
Tinker Internet Services - Superior FreeBSD-based Web Hosting
http://www.tinker.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
