Re: [plug] offtopic access-list allow certain icmp

Sun, 21 Sep 2003 22:11:00 -0700 

----- Original Message -----
From: "Ronald Warner" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 12, 2003 11:05 AM
Subject: Re: [plug] offtopic access-list allow certain icmp


> i thought about that but the access-list below will allow other hosts to
> send icmp packets to that subnet.  i just wants hosts in the specified
> subnet to be able to ping.
>
>
> >From: "Mark M. Barrios" <[EMAIL PROTECTED]>
> >Reply-To: Philippine Linux Users Group Mailing List
> ><[EMAIL PROTECTED]>
> >To: Philippine Linux Users Group Mailing List <[EMAIL PROTECTED]>
> >Subject: Re: [plug] offtopic access-list allow certain icmp
> >Date: Fri, 12 Sep 2003 10:28:10 +0800
> >
> >
> >try permiting the reply packets back.
> >
> >eg.
> >
> >access-list 110 permit icmp any 192.168.1.0 0.0.0.255
> >
> >HTH
> >
> >Ronald Warner wrote:
> >>Good day.
> >>
> >>I am trying to find a way to block icmp but allowing only a certain ip
> >>subnet icmp access on a cisco router.  blocking is simple.  but allowing
> >>only a certain, i am having problems with.  i have tried:
> >>
> >>access-list 110 permit icmp 192.168.1.0 0.0.0.255 any
> >>access-list 110 deny   icmp any any
> >>access-list 110 permit ip any any
> >>
> >>but this did not work.
> >>
> >>
> >>Is there a way for this?

since you only want to allow and deny ping packets on a certain segment
block... the above three lines indicate that you allow and deny *all* kinds
of icmp packets which is very dangerous... what you only to do is to specify
the icmp echo packets and not the rest of it.. for example:

access-list 110 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 110 deny icmp any any echo
access-list 110 permit ip any any

after this, put this on your *incoming* interface(s) where the traffic you
want to allow and deny.... there is no need to put an acces list to allow or
deny icmp reply if the icmp echo is already allowed or blocked...

fooler.







--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie

Reply via email to