> >I think that out means leaving, so on e0 out is in the
> router (the opposite
> >direction of your arrow !)
>
> Wouldn't 'out' refer to packets leaving the router, as you
> mentioned, and
> as I drew? I'm envisioning 'out' in this case, as referring
> to a packet
> which leaves the router via the ethernet interface, and is
> destined for the
> firewall.
this is what I found in the documentation:
Access lists are applied on either outbound or inbound interfaces. For
standard inbound access lists, after receiving a packet, the Cisco IOS
software checks the source address of the packet against the access list.
For extended access lists, the router also checks the destination access
list. If the access list permits the address, the software continues to
process the packet. If the access list rejects the address, the software
discards the packet and returns an ICMP Host Unreachable message.
For standard outbound access lists, after receiving and routing a packet to
a controlled interface, the software checks the source address of the packet
against the access list. For extended access lists, the router also checks
the destination access list. If the access list permits the address, the
software transmits the packet. If the access list rejects the address, the
software discards the packet and returns an ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
> So, if I use the 'established' keyword, I can then get rid of
> the rules to
> allow inbound response packets (> 1023), correct?
yep, accept if you want to allow some protocols initiating access from
outside.
Erwin
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
