From: Ashok Gopala (agopala@xxxxxxxxx)
Date: Fri Jun 15 2001 - 13:46:27 GMT-3
Correct me if I am wrong, I thought there is no established bit in the
header. it is either an "ack" or "rst" bit it looks for.
On Fri, 15 Jun 2001, Jim Graves wrote:
> The "established" keyword simply matches the "established" bit in the TCP
> header. That's a bit that's set if a packet claims to be a response in an
> existing conversation. In theory, every packet after the initial TCP
> handshake will have the "established" bit set.
>
> It's usually used as a shortcut when specific access lists are too painful
> or bothersome. For example, you'll sometimes see this sline thrown into an
> access-list for inbound traffic:
>
> access-list 110 permit tcp any any established
>
> What that's supposed to do is allow through any reply traffic for existing
> connections.
>
> But I don't like using "established", and here's why. As I mentioned, all
> it does is match a bit in the TCP header. TCP headers are trivial to
> forge. If I'm Henry Hacker, I can just as easily set the "established" bit
> on every packet I send. If your access list depends on "established" to
> permit or deny access, it's going to let that forged packet right on
> through. Not good.
>
> FWIW, reflexive access lists are a much better way to do what the
> "established" bit is usually used for. For more on reflexive access lists,
> see CCO at
> <http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
_c/scprt3/screflex.htm>.
>
> As for your particular issue - it should work the same whether you have
> "established" set or not. I presume that 100.1.1.1 is the ftp server, and
> 10.1.1.1 is the client (i.e., 10.1.1.1 ftps to 100.1.1.1)? Your issue is
> probably a mask/IP problem in your access lists. The destination address
> in each case is 10.1.1.1 with a wildcard mask of 0.0.0.255. You probably
> mean 10.1.1.0 0.0.0.255. I don't think anything will match 10.1.1.1
> 0.0.0.255.
>
> At 12:11 PM 6/15/2001 +0900, bravo wrote:
> >Hello guy!
> >
> >Could you explain why the ftp is not work well?
> >
> >int se 0
> > ip addr 100.1.1.254 255.255.255.0
> > ip access-group 100 in
> >int e 0
> > ip addr 10.1.1.254 255.255.255.0
> >
> >access-list 100 permit tcp host 100.1.1.1 eq ftp 10.1.1.1 0.0.0.255
> >established
> >access-list 100 permit tcp host 100.1.1.1 eq ftp-data 10.1.1.1 0.0.0.255
> >established
> >access-list 100 deny ip any any
> >
> >==================================================
> >?l8. @NEM3], Daum
> >Fr;} >24B 9+7a E-mail AV<R GQ8^@O3]
> >Av18CL GQ1[ 0K;v<-:q=: Daum FIREBALL
> >http://www.daum.net
> >**Please read:http://www.groupstudy.com/list/posting.html
> ---------------------------
> Jim Graves
> CCIE #7524, CISSP, MCSE
> Network Systems Consultant
> Lucent Worldwide Services
> Alpha Pager: 1-800-467-1467
> **Please read:http://www.groupstudy.com/list/posting.html
Ashok Gopala
---------------------------------------------------
Enterprise Support Program | |
Bldg: J, 255 W. Tasman Dr. ||| |||
San Jose CA. 95134 ..:|||||:..:|||||:..
Cisco Systems
---------------------------------------------------
Empowering the Internet Generation
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:24 GMT-3