RE: Access-list - Deny TFTP

From: DuBell, Robert ITC J633CT1 (dubell@xxxxxxxxx)
Date: Tue Jun 12 2001 - 15:25:47 GMT-3

• Next message: Oriya Pollak: "Cisco Help Forum"
• Previous message: Mas Kato: "RE: WFQ and BRIs"
• Maybe in reply to: Dean, Justin: "Access-list - Deny TFTP"
• Next in thread: DuBell, Robert ITC J633CT1: "RE: Access-list - Deny TFTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I believe that your access list would look something like this

access-list 101 permit udp 172.10.1.0 0.0.0.255 any eq tftp
access-list 101 permit udp any any gt 1023 established
access-list 101 deny udp any any eq tftp
access-list 101 permit ip any any

Where 172.10.1.0 is the network you want to allow to establish a TFTP
session. Allowing any UDP greater than 1023 matches only if the arriving
packet is a response to a request from network 172.10.1.0

I could be wrong but I believe this is close to your solution.

Bob

-----Original Message-----
From: Brian Dennis [mailto:brian@5g.net]
Sent: Tuesday, June 12, 2001 1:49 PM
To: Dean, Justin; ccielab@groupstudy.com
Subject: RE: Access-list - Deny TFTP

Justin,
A TFTP client only sends the first packet to the TFTP server with a
destination UDP port of 69. The server never responds using port 69. The
server will use a UDP high port to respond back to the client's UDP high
port.

I teach this in my ACPC2 class which covers the security portion of the CCIE
lab. I find that a lot of the CCIE candidates don't fully understand how
TFTP really works and could get bitten in the lab on it. I would recommend
reading the RFC on TFTP. Also it's not a bad idea to break out a Sniffer and
capture a TFTP session.

Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
5G Networks, Inc.
brian@5g.net

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Dean, Justin
Sent: Tuesday, June 12, 2001 10:21 AM
To: 'ccielab@groupstudy.com'
Subject: RE: Access-list - Deny TFTP

I could of swore there was a bit of a trick in there because of the way tftp
changes to high ports after being established. If I can remember correctly
it became an issue when the requirements say something like: allow tftp from
network X and block everything else ..let me know if I am just way off
here. Thanks,
justin

-----Original Message-----
From: louie kouncar [mailto:lkouncar@UU.NET]
Sent: Tuesday, June 12, 2001 10:03 AM
To: 'Dean, Justin'; ccielab@groupstudy.com
Subject: RE: Access-list - Deny TFTP

Well,

TFTP uses UDP so you need the following:

access-list 101 deny udp any any eq tftp

Hope that helps...

Louie J. Kouncar
TCO3 Senior Data Center Engineer
WorldCom Web Hosting (Tysons)
W-703-343-6645
C-703-304-2460

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Dean, Justin
Sent: Tuesday, June 12, 2001 12:34 PM
To: 'ccielab@groupstudy.com'
Subject: Access-list - Deny TFTP

I am drawing a blank and I can't remember the proper way to block TFTP in an
access list. Can someone help me out. Thanks,

Justin
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Oriya Pollak: "Cisco Help Forum"
• Previous message: Mas Kato: "RE: WFQ and BRIs"
• Maybe in reply to: Dean, Justin: "Access-list - Deny TFTP"
• Next in thread: DuBell, Robert ITC J633CT1: "RE: Access-list - Deny TFTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:23 GMT-3