From: Tarun Pahuja (pahujat@gmail.com)
Date: Thu Nov 08 2007 - 17:41:22 ART
Rik,
What would happen if the Link was already running OSPF and you enable
a firewall that should only allow ICMP,TCP,UDP? You Just lost connectivity!
HTH,
Tarun
On Nov 8, 2007 2:39 PM, Guyler, Rik <rguyler@shp-dayton.org> wrote:
> Don't do it if it isn't asked for in the requirements. If it says ICMP,
> TCP and UDP then allow those and move on. When you start taking
> unnecessary steps you run even greater risk of missing a required topic
> due to misinterpretation.
>
> Maybe this question really means "allow ONLY ICMP, TCP and UDP inbound"
> and so allowing other non-required protocols just cost you points. Why
> complicate things any more?
>
> Rik
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> hadek.el-ayachi@nsn.com
> Sent: Thursday, November 08, 2007 11:47 AM
> To: ccielab@groupstudy.com
> Subject: Reflexive output ACL
>
> Hi GS,
> If I am asked to permit only icmp/udp/tcp traffic inbound if it is
> initiated from inside, the answer is:
> ip access-list ext FW_OUT
> permit icmp an an reflect FW
> permit tcp an an reflect FW
> permit udp an an reflect FW
>
> But, what about other protocols and futur protocols sach as igmp,
> gre...? Should I add per ip any any? Does it deserve askin proctor?
> Thanks for comment
>
>
> E. HADEK
> Nokia Siemens Networks
> IP Core planner
> 5 rue Abou Inane- Hassan
> Rabat - Maroc
> Tel : +212 37 26 15 30
> GSM : + 212 61 44 93 98
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Dec 01 2007 - 06:37:29 ART