From: Joe A (groupstudy@comcast.net)
Date: Tue Nov 26 2002 - 00:52:20 GMT-3
For starters, the list you included below is wrong; it's been changed in
the errata to the following:
131.24.194.x
131.25.194.x
135.152.1.1
131.24.195.x
131.24.193.x
The line 227.24.194.x was dropped, and the 196 is changed to 193 in the
131.24.196.x line.
Given that change, I don't agree with the solution of 129.24.192.0
102.129.7.1 for two reasons:
First, it matches a heck of a lot more than those 5 specified
networks/host, for example it matches on 231.24.199.0 which isn't even
close to anything in that list. Generalizing an ACL to save lines at
the expense of denying traffic that shouldn't be denied is not a good
thing.
Second, it doesn't even match the 135.152.1.1 host at all. Why?
Because in the 3rd octet of the filter, 192 masked with a 7 (in third
octet) expands to binary as 11000000 00000111, and since '0' is a direct
match, the number(s) matched in this octet must be at least 11000xxx,
which matches on 192 through 199, but certainly not 1. To match all
those lines, the ACL should be
access-list 102 deny tcp 129.24.192.0 102.129.195.1 eq ftp any
access-list 102 deny tcp 129.24.192.0 102.129.195.1 eq http any
But again this generalizes the matches even more.
If any one disagrees with this, by all means please explain.
Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Connelly.Sylvester@btinternet.com
Sent: Monday, November 25, 2002 8:08 AM
To: ccielab@groupstudy.com
Subject: Access list wildcard mask
Guys,
Is there a quick way to work out wildcards, I'm looking at the Solie
"Darth Reid" Lab section V11 which requires you to block data from the
following sources with as few line possible.
Deny FTP from the following:
131.24.194.X
131.25.194.X
135.152.1.1
227.24.194.X
131.24.195.X
131.24.196.X
The Answer is access-list <XXX> deny 129.24.192.0 102.129.7.1 etc....
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:10 GMT-3