lehle @
str .
daimler-benz .
com
>
>
> Sorry - deleted the post I am referring to before I had a chance to reply.
> The poster mentioned a solution to the problem of ftp transfers in a
> screening router environment. The solution was something to the effect:
> Allow packets from all external hosts with source port 20 to all (or
> some subset of) internal hosts with destination port > 1023, established.
>
> The only part I disagree with is the "established" part; I am assuming this
> is referring to passing/not passing the "start of connection" packet, or the
> packet that contains both SYN and ACK. It is my understanding that by
> using this keyword in your access lists, the remote machines would have a
> difficult time initiating the data connection...
>
> I am also assuming that the above would be applied as an outbound access list
> on the internal side of the screening router, as the rest would not make
> sense otherwise...
>
> Do I have this incorrect?
>
>
> ______/ Jeff LaCoursiere FastLane Communications
> / Network security/services mail info @
flc .
uprc .
com
> ___/ lacoursj @
uprc .
com
> /
> __/ ASTLANE Communications! Connecting America to the Internet...
>
>
>
>
I don't know if CISCO has fixed the bug, that you could use either the
port-number or the established keyword. I haven't seen anything in the
release-notes.
--
+-----------------------------------------+------------------------------------+
| Klaus-Dieter Lehle | |
| Abt. RZ-S/K | Phone: ++49(711)17-55399 |
| debis Systemhaus CCS GmbH | |
| Regionales Rechenzentrum Stuttgart | Fax : ++49(711)17-56966 |
| Mercedesstrasse 137 | |
| D-70322 Stuttgart | |
|-----------------------------------------+------------------------------------|
| email (rfc822): lehle @
str .
daimler-benz .
com |
+------------------------------------------------------------------------------+
References:
|
|
