> Interesting point. I've a Cisco 2501 router which connects
> to the 'net via
> a 56k isdn connection. The ethernet port is connected to the
> outside of
> the firewall (ip addr: x.x.x.3). Yesterday, I was mucking
> around with
> access lists, and came up with the following:
>
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3
> 0.0.0.0 gt 1023
> access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3
> 0.0.0.0 gt 1023
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3
> 0.0.0.0 eq 22
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3
> 0.0.0.0 eq 25
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3
> 0.0.0.0 eq 53
> access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3
> 0.0.0.0 eq 53
> I initially placed this list on the serial connection, which is the
> incoming isdn. I had defined it as 'ip access-group 102 in', which
> promptly cut off all access. I then placed it on the
> ethernet port as 'ip
> access-group 102 out', which appears to work as it should.
>
> Questions:
>
> 1. Why did the first definition not work? I would have
> thought either
> definition would work the same.
>
you denied everything incoming that is standard TCP/IP, so you were able to
send packets; but unable to receive any responses
permit tcp gt 1023
but at the end there is always an implicit deny !!!!
> 2. What am I missing here? What else I should include (as a
> rule), and why?
don't really know what you're meaning here, it works doesn't it ?
you allow responses from you e0 to the net, for those packets that you
received !
using acl on a router is awkward; always reboot when you make changes, to be
sure that the rules applied like they should !!!!
it's also better to use the established keyword, so you can establish a
connection from the e0 to the internet; but not vice versa !!!!!
Hope this helps or maybe it creates more questions ;-)
Erwin
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
