From: R. Adjakou (radjakou@cfao.sn)
Date: Wed Jul 07 2004 - 14:00:23 GMT-3
DNS uses UDP or TCP.
As soon as statements are in this order, every packets dealing with TCP
are permitted.
access-list 110 permit tcp any any established
access-list 110 permit udp host x.x.x.x any eq domain
Cordialement/Best regards;
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
Roberto Adjakou
E-mail : RAdjakou@cfao.sn
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
-----Message d'origine-----
De : nobody@groupstudy.com [mailto:nobody@groupstudy.com] De la part de
Geert Nijs
Envoyi : mercredi 23 juin 2004 06:16
@ : ccielab@groupstudy.com
Objet : ACL problem
I have a router connected to the internet and it has the following
access-list configured in the INCOMING (!)
direction on the Internet interface:
access-list 110 deny ip 0.0.0.0 0.255.255.255 any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 permit tcp any any established
access-list 110 permit udp host x.x.x.x any eq domain
access-list 110 permit icmp host y.y.y.y any echo-reply
access-list 110 permit icmp host z.z.z.z any echo-reply
access-list 110 deny ip any any log
x.x.x.x is a DNS server on the Internet.
The problem is that DNS is working, and i don't understand how this is
possible with the above access-list ?
The thing that bothered me was the line:
access-list 110 permit udp host x.x.x.x any eq domain
Shouldn't this be:
access-list 110 permit udp host x.x.x.x eq domain any
And with the above configuration, shouldn't DNS request/answers be
dropped ? or am i overlooking something simple here ?
PS. Router runs version 12.2(23)
Regards,
Geert
########################################################################
#############
This e-mail and any attached files are confidential and may be legally
privileged.
If you are not the addressee, any disclosure, reproduction, copying,
distribution,
or other dissemination or use of this communication is strictly
prohibited.
If you have received this transmission in error please notify Simac
immediately
and then delete this e-mail.
Simac has taken all reasonable precautions to avoid virusses in this
email.
Simac does not accept liability for damage by virusses, for the correct
and complete
transmission of the information, nor for any delay or interruption of
the transmission,
nor for damages arising from the use of or reliance on the information.
All e-mail messages addressed to, received or sent by Simac or Simac
employees
are deemed to be professional in nature. Accordingly, the sender or
recipient of
these messages agrees that they may be read by other Simac employees
than the official
recipient or sender in order to ensure the continuity of work-related
activities
and allow supervision thereof.
########################################################################
#############
This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:11:48 GMT-3