Palitha Weerakkody wrote:
>
> as far as my understanding When you block IP You can't ping. so try "
> access-list 121 permit ip any any log ".
>
> on your rule 1 you deny ip access to specific host or subnet but rule 7 you
> deny ip to all. so I think no point putting rule 1. same with rule 2, 3 and
> 4 because you permit tcp to all on rule 6. I think you shouldn't permit tcp
> any any, only allow what you want. someone can correct me if I am wrong.
There is one HUGE problem underlying all of this. You speak of
"ICMP needing IP". Well. Guess what: so do ALL OTHER PROTOCOLS THAT
YOU CAN CONTROL IN YOUR ACLS.
TCP lives on top of IP.
UDP lives on top of IP.
ICMP lives on top of IP.
etc, etc, etc,... All protocols that can be used across the internet
use IP. (Why do you think it's called TCP/IP? "TCP over IP"!)
So when you do "permit ip any any", you do:
"permit tcp any any", "permit udp any any", "permit icmp any any", etc, etc,
etc, etc.
... hmm this is getting grumpier than I intended. Time for my
first coffee of the day.
Cheers,
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
