From: James (james@towardex.com)
Date: Wed Aug 18 2004 - 05:28:39 GMT-3
On Wed, Aug 18, 2004 at 10:16:56AM +0200, samccie2004@yahoo.co.uk wrote:
> Hi Group
>
> When asked to deny WWW traffic
>
> Would it be correct to have solution 1, to ensure both http requests and
> replies are blocked.
> Or solution 2, assuming that if no requests are made in first place, no
> replies will follow, therefore no need to block them.
If you do solution 2, and I make connection to a box inside your network
that sends (syn | !syn & ack) back from your network, it will bypass your
solution 2 acl, therefore I am now viewing WWW content from that box inside
your network. The question demands "deny WWW traffic". Well apparently not! :-D
My recomendation: Unless a requirement is given to "deny WWW traffic" with
specific direction of the flow of the traffic, assume it wants WWW completely
denied either way.
-J
>
>
> Solution 1
> access-list 102 deny tcp any any eq www
> access-list 102 deny tcp any eq www any
>
> Solution 2
> access-list 102 deny tcp any any eq www
>
> TIA
>
> Sam
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:45 GMT-3