RE: ********* Access List Enquiry **************
Tom, great answer but I think you will find that TCP 53 is used for large lookups and some tools that that do lookups. Generally as you say TCP 53 is zone... but NOT always. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Pruneau Sent: Sunday, January 20, 1980 9:26 PM To: GNOME; [EMAIL PROTECTED] Subject: Re: * Access List Enquiry ** I think it is the normal practice because historically that was the only capability which routers had (filtering on destination ports) and as the IOS became more capable people were either unsure, or reluctant to change their ways. The second example is more secure, and to take it a step further (towards tighter security) I would filter on established too (where appropriate). The gt 1023 refers to the random high numbered port that a hosts assigns for the response to any packet sent to a well known port. Another observation of your example is that you are filtering on TCP port 53. TCP port 53 is only used for zone transfers between a 2ndry and a primary DNS server. Normal lookups, the type done by the majority of hosts on the net, use UDP port 53. Tom At 10:28 PM 10/30/2000 +0800, GNOME wrote: >Hi All > >Which one of the access-list is normally use? > >Example 1 >--- >access-list 102 permit tcp any host 172.16.0.1 eq 80 >access-list 102 permit tcp any host 172.16.0.1 eq 53 > > >Example 2 >--- >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 >(notice the gt 1023) > >I saw from most of the books that Example 1 is common. I don't know what is >the normal practice generally >Appreciate if anyone can share with me his/her comments. Thanks alot > >Regards >Orion >[EMAIL PROTECTED] > > > > >_ >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > Tom Pruneau Trainer Network Operations GENUITY 3 Van de Graff Drive Burlington Ma. 01803 24 Hr. Network Operations Center 800-436-8489 If you need to get a hold of me my hours are 7AM-3PM ET Mon-Fri --- This email is composed of 82% post consumer recycled data bits --- "Once in a while you get shown the light in the strangest of places if you look at it right" _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ********* Access List Enquiry **************
Well, In any circumstance, whatever device who generate traffic to any target, this device will use the port number greater than 1023 as the "From port #" and the "destination port #" will be specific like "80" or "53" etc... when the target device receive this packet, it will swap their "form port #" to "destination port #" and vica versa so the example 1 and example 2 are exactly the same. As far as your example concern, your access list is for incoming traffic. Sam Li = GNOME <[EMAIL PROTECTED]> wrote in message 8tk0jn$e29$[EMAIL PROTECTED]">news:8tk0jn$e29$[EMAIL PROTECTED]...> Hi All> > Which one of the access-list is normally use?> > Example 1> ---> access-list 102 permit tcp any host 172.16.0.1 eq 80> access-list 102 permit tcp any host 172.16.0.1 eq 53> > > Example 2> ---> access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80> access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53> (notice the gt 1023)> > I saw from most of the books that Example 1 is common. I don't know what is> the normal practice generally> Appreciate if anyone can share with me his/her comments. Thanks alot> > Regards> Orion> [EMAIL PROTECTED]> > > > > _> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ********* Access List Enquiry **************
Example 1 is most common. Example 2 is a little more picky. Realistically a connect that is sourced to web or DNS should originate on a non-privledged port (>=1024) so this just makes sure of that. I don't go thru that kind of intensiveness in my ACL'sI feel that checking the destination port/address is good enough. Brian On Mon, 30 Oct 2000, GNOME wrote: > Hi All > > Which one of the access-list is normally use? > > Example 1 > --- > access-list 102 permit tcp any host 172.16.0.1 eq 80 > access-list 102 permit tcp any host 172.16.0.1 eq 53 > > > Example 2 > --- > access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 > access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 > (notice the gt 1023) > > I saw from most of the books that Example 1 is common. I don't know what is > the normal practice generally > Appreciate if anyone can share with me his/her comments. Thanks alot > > Regards > Orion > [EMAIL PROTECTED] > > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ********* Access List Enquiry **************
I think it is the normal practice because historically that was the only capability which routers had (filtering on destination ports) and as the IOS became more capable people were either unsure, or reluctant to change their ways. The second example is more secure, and to take it a step further (towards tighter security) I would filter on established too (where appropriate). The gt 1023 refers to the random high numbered port that a hosts assigns for the response to any packet sent to a well known port. Another observation of your example is that you are filtering on TCP port 53. TCP port 53 is only used for zone transfers between a 2ndry and a primary DNS server. Normal lookups, the type done by the majority of hosts on the net, use UDP port 53. Tom At 10:28 PM 10/30/2000 +0800, GNOME wrote: >Hi All > >Which one of the access-list is normally use? > >Example 1 >--- >access-list 102 permit tcp any host 172.16.0.1 eq 80 >access-list 102 permit tcp any host 172.16.0.1 eq 53 > > >Example 2 >--- >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 >access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 >(notice the gt 1023) > >I saw from most of the books that Example 1 is common. I don't know what is >the normal practice generally >Appreciate if anyone can share with me his/her comments. Thanks alot > >Regards >Orion >[EMAIL PROTECTED] > > > > >_ >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > Tom Pruneau Trainer Network Operations GENUITY 3 Van de Graff Drive Burlington Ma. 01803 24 Hr. Network Operations Center 800-436-8489 If you need to get a hold of me my hours are 7AM-3PM ET Mon-Fri --- This email is composed of 82% post consumer recycled data bits --- "Once in a while you get shown the light in the strangest of places if you look at it right" _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
********* Access List Enquiry **************
Hi All Which one of the access-list is normally use? Example 1 --- access-list 102 permit tcp any host 172.16.0.1 eq 80 access-list 102 permit tcp any host 172.16.0.1 eq 53 Example 2 --- access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 80 access-list 102 permit tcp any gt 1023 host 172.16.0.1 eq 53 (notice the gt 1023) I saw from most of the books that Example 1 is common. I don't know what is the normal practice generally Appreciate if anyone can share with me his/her comments. Thanks alot Regards Orion [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]