On Sat, 11 Mar 2000 [EMAIL PROTECTED] wrote:
> On 03/09/2000 at 14:38:05 CST, "Eric Johnson" <[EMAIL PROTECTED]> wrote:
> > On 9 Mar 00, at 15:24, John Adams wrote:
> > > deny ip 192.168.0.0 0.0.255.255 any log
> > > permit tcp any any lt 1024 established
> >
> > Wouldn't locating the permit any established at the start of the list
> > be far more efficient?
>
> It might be slightly more efficient, but it would also have undesirable
> side effects. Remember that IOS access lists are processed until the first
> match is found. With the example shown, it would allow any tcp packet from
> the rfc1918 address range that has the ACK or RST bit (the meaning of
> "established") to a port less than 1024. Clearly that is not what is
> wanted.
I doubt it would be more efficient; I want the list to be processed in the
order displayed. There are alot of ports above 1024 that we never want
passed, so that's the intended result.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
