Cisco Access Lists (Was: RE: Content Analysis)

Thu, 9 Mar 2000 08:11:36 -0800 

At 04:07 PM 3/8/00 -0500, you wrote:
>Filtering router = barely any isolation, just drops packets and you have
>to let large sections of the port space back in so connections work
>(unless using the established keywords under cisco, but a router and
>filtering SHOULD NOT  be your first line of defense.)

Interesting point.  I've a Cisco 2501 router which connects to the 'net via 
a 56k isdn connection.  The ethernet port is connected to the outside of 
the firewall (ip addr: x.x.x.3).  Yesterday, I was mucking around with 
access lists, and came up with the following:

access-list 102 permit tcp 0.0.0.0 255.255.255.255  x.x.x.3 0.0.0.0 gt 1023
access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 gt 1023
access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 22
access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 25
access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 53
access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 53

We allow inbound ssh, smtp and dns queries (plus tcp requests and zone 
transfer requests from our secondary).  Response packets are allowed in on 
unpriv ports.  Outbound access is not limited at the router (the firewall's 
proxies take care of that) and icmp is unrestricted.  In my mind, this list 
is intended as a screen to protect the firewall from Internet nonsense.

I initially placed this list on the serial connection, which is the 
incoming isdn.  I had defined it as 'ip access-group 102 in', which 
promptly cut off all access.  I then placed it on the ethernet port as 'ip 
access-group 102 out', which appears to work as it should.

Questions:

1.  Why did the first definition not work?  I would have thought either 
definition would work the same.

2.  What am I missing here?  What else I should include (as a rule), and why?

Cheers!
Jon
-----------------------------------------------------------------
Jon Earle                       (613) 612-0946 (Cell)
HUB Computer Consulting Inc.    (613) 830-1499 (Office)
http://www.hubcc.ca             1-888-353-7272 (Within Canada/US)

"God does not subtract from one's alloted time on Earth,
those hours spent flying."       --Unknown

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to