From: andrew.2.shore@xxxxxx
Date: Fri Jun 15 2001 - 10:54:20 GMT-3
Don't forget that tcp sequence numbers stop hackers just sending through
packets to attack systems behind the router. Although it does take extra
routing processor to routes this illegal packets.
-----Original Message-----
From: Jim Graves [mailto:jtg@lucent.com]
Sent: 15 June 2001 14:37
To: bravo; ccielab@groupstudy.com
Subject: Re: What is the fuction of the established keyword in
Access-list?
The "established" keyword simply matches the "established" bit in the TCP
header. That's a bit that's set if a packet claims to be a response in an
existing conversation. In theory, every packet after the initial TCP
handshake will have the "established" bit set.
It's usually used as a shortcut when specific access lists are too painful
or bothersome. For example, you'll sometimes see this sline thrown into an
access-list for inbound traffic:
access-list 110 permit tcp any any established
What that's supposed to do is allow through any reply traffic for existing
connections.
But I don't like using "established", and here's why. As I mentioned, all
it does is match a bit in the TCP header. TCP headers are trivial to
forge. If I'm Henry Hacker, I can just as easily set the "established" bit
on every packet I send. If your access list depends on "established" to
permit or deny access, it's going to let that forged packet right on
through. Not good.
FWIW, reflexive access lists are a much better way to do what the
"established" bit is usually used for. For more on reflexive access lists,
see CCO at
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secu
r_c/scprt3/screflex.htm>.
As for your particular issue - it should work the same whether you have
"established" set or not. I presume that 100.1.1.1 is the ftp server, and
10.1.1.1 is the client (i.e., 10.1.1.1 ftps to 100.1.1.1)? Your issue is
probably a mask/IP problem in your access lists. The destination address
in each case is 10.1.1.1 with a wildcard mask of 0.0.0.255. You probably
mean 10.1.1.0 0.0.0.255. I don't think anything will match 10.1.1.1
0.0.0.255.
At 12:11 PM 6/15/2001 +0900, bravo wrote:
>Hello guy!
>
>Could you explain why the ftp is not work well?
>
>int se 0
> ip addr 100.1.1.254 255.255.255.0
> ip access-group 100 in
>int e 0
> ip addr 10.1.1.254 255.255.255.0
>
>access-list 100 permit tcp host 100.1.1.1 eq ftp 10.1.1.1 0.0.0.255
>established
>access-list 100 permit tcp host 100.1.1.1 eq ftp-data 10.1.1.1 0.0.0.255
>established
>access-list 100 deny ip any any
>
>==================================================
>?l8. @NEM3], Daum
>Fr;} >24B 9+7a E-mail AV<R GQ8^@O3]
>Av18CL GQ1[ 0K;v<-:q=: Daum FIREBALL
>http://www.daum.net
>**Please read:http://www.groupstudy.com/list/posting.html
---------------------------
Jim Graves
CCIE #7524, CISSP, MCSE
Network Systems Consultant
Lucent Worldwide Services
Alpha Pager: 1-800-467-1467
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:24 GMT-3