Not sure where those port >60000 packets are coming from, but:
I've seen tftp implementations that do funny things with port numbers. Specifically, if C is client and S is server, C --> S src-port=N1 dst-port=69 S --> C src-port=N2 dst-port=N1 where both N1 and N2 are high numbers. the point is that the returning packets were NOT showing up with src-port=69 as one would expect but with some dynamic high port number N2, which messed up my filtering at the time. I thought this was relevant but your email seems to indicate high dst-port numbers so maybe it's something else. HTH, Avishai --- Shay Hugi <[EMAIL PROTECTED]> wrote: > > Hi.. > I'm using cisco access lists to deny users with cable modems to access our > network. > The problem is: > I needed to add the services the users allowed to do when they are using our > internal systems. > some of them is... modem sync.. (DHCP requests from both modem & user's > computer.) > > so iv'e added the list of ports needed. > bootps, tftp, time. to both our CNR's 172.19.2.5, 172.19.4.5. > ... > ............. > access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.4.5 eq bootps > access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.2.5 eq bootps > access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.4.5 eq tftp > access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.2.5 eq tftp > access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.4.5 eq time > access-list 111 permit udp 10.0.0.0 0.255.255.255 host 172.19.2.5 eq time > ........... > ...... > access-list 111 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255 > access-list 111 permit ip any any > > And the customers modems just didn't went online... > So i brought a GI modem with internal modem webpage so i'll be able to see > in what status he is being blocked. and i've also went to debugging mode on > the router. > > snooped a bit. > and i saw there are requests from the modems to ports that are higher than > 60000... > So i've also enabled port 60000 and greater. so now i solved the problem. > > access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.4.5 gt 60000 > access-list 111 permit udp 10.64.0.0 0.31.255.255 host 172.19.2.5 gt 60000 > .......................... > > But... > > I still wanna know why do i need those ports open? > And which service is using them? > > Thanks > -Shay Hugi > -Mpthrill.com > > > > --__--__-- > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > For Account Management (unsubscribe, get/change password, etc) Please go > to: > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > End of Firewalls Digest > > -- > Firewalls mailing list - [ [EMAIL PROTECTED] ] > To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html > ===== Avishai Wool, Ph.D., Chief Scientist & Co-Founder, Lumeta Corp. http://research.lumeta.com/yash/ http://www.eng.tau.ac.il/~yash [EMAIL PROTECTED] Tel: +972-3-640-7206 Fax: +972-3-640-7095 ** Want to audit or debug your firewall's policy? ** Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- Firewalls mailing list - [ [EMAIL PROTECTED] ] To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html
