Hi all,
Many times there are different ways to write an access list. So I checked
this out. I couldn't find a reference to the 'setup' keyword. The thought
process is correct though, and I think the keyword that is meant is
'established', a 'setup' keyword would just be a reverse of what I
suggested - 'not established'. If there is indeed a 'setup' keyword, that
I missed, please let me know what version it is in, and I'll take back my
comments, and go re-read my documentation again.
Thanks,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 12:40 PM 11/17/1999 -0600, Carol Deihl wrote:
>Hi Charlie,
>
>There are two sides to every TCP conversation. In the normal situation,
>the web browser initiates with a message from a high port (1024 or
>higher) to the destination on port 80. The web server replies back
>from its port 80 to the browser computer's original port.
>
>Your "deny" is dropping those replies, since it doesn't distinguish
>between replies in an ongoing connection and messages to
>initiate a new connection.
>
>If you are trying to block outsiders from initiating new connections
>to those high ports, you'll want to add "setup" at the end of the
>"deny" rule. Or, be more general, and say something like
>
> access-list 101 deny tcp any any gt 1023 setup log
>
>(I believe this is the Cisco syntax - check your docs to be sure).
>
>Hope this helps.
>
>Carol
>
>"Engasser, Charlie" wrote:
> >
> > I have a combo question.
> >
> > I am running Firewall-1 3.0b 3048, and my router is a Cisco 2611
> > running 12.0.6t.
> >
> > We are getting alot of chatter traffic on high ports above 30k
> > coming inbound that appear to be associated with web browsing. The
> > firewall blocks this traffic, and everything works fine. However if I
> > create an ACL on the router that denys the traffic such as:
> >
> > on ser 0/1:
> >
> > access-list 101 in
> >
> > access-list 101 deny tcp any any range 40000 45000 log
> > access-list 101 permit ip any any
> >
> > Then the traffic stops flowing.
> >
> > can anyone explain this?
> >
> > Charles Engasser
> > Contracted Network Engineer
> > Joint STARS; Joint Test Force.
> > SC; Titan Inc.
> > (407) or (321) 726-7048
> > (407) or (321) 726-7243 (fax)
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
>--
>Carol Deihl - principal, Shrier and Deihl - mailto:[EMAIL PROTECTED]
>Remote Unix Network Admin, Security, Internet Software Development
> Tinker Internet Services - Superior FreeBSD-based Web Hosting
> http://www.tinker.com/
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
