Great Circle Associates Firewalls
(July 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Help with cisco access list?
From: ccfj @ hippo . ru . ac . za (F. Jacot Guillarmod)
Date: Sun, 30 Jun 1996 10:20:16 +0200 (GMT+0200)
To: firewalls @ greatcircle . com

Hi,

A query on Cisco access lists...

I've had a set of access lists configured and working for a while now,
but the manual maintenance has become a bit confusing, so I've set up
the acl-examples perl scripts by Paul Traina available from
ftp.cisco.com, and am trying to use them in conjunction with other
tools we use to automate the maintenance of our DNS.

It looks like most of the chickens mentioned in the Chapman paper on IP
packet filtering have come home to roost in a big way.  The manual
lists, which still work OK, probably work because they're next to useless.
The automated lists generated by the "netsec" perl script have
tightened things up so much that I'm forced to admit to being confused
about parts of what I'm trying to achieve and how to achieve it.

A search through what literature is available to me didn't bring up a
whole lot of practical info on setting up access lists, so I'd be
grateful for any further pointers or examples (other than those in the
Cisco manuals, which tend to be somewhat ....).

Anyway, here's the scenario:

We have a 2514 running 10.0 and are using all 4 interfaces.  Being a
university, it's assumed brainpower is more plentiful than money in
achieving workable solutions.  We try.


     ISP #1 + Internet                ISP #2 + Regional net
     --------------------             ---------------------
                        |             |
                        |             |
                   --------------------------
     	           |   s0            s1     |
     	           |                        |
     	           |                        |
	           |                        |
	           |   e0            e1     |
                   --------------------------
                        |             |
                        |             |
     --------------------             ---------------------
     Admin subnet                     Everyone else subnets
     A.B.16.0/255.255.248.0           A.B.128.0/255.255.248.0
				      A.B.64.0
				      A.B.192.0 etc

The access lists for ether 1 are pretty standard and straightforward,
as are those for serial 0 and serial 1 (which are currently identical).
i.e. in isolation they work just fine and I understand them.

The awkward one is the access list for ether 0, which contains admin
telnet and print servers plus a large number of workstations.  The
type of access needed here is:

Out onto ether 0:

 a Telnet from selected hosts outside of A.B.16.0 but inside A.B.0.0
 b FTP from selected hosts outside of A.B.16.0 but inside A.B.0.0
 c Printing from hosts outside of A.B.16.0 but inside A.B.0.0
 d "Established" tcp services, such as WWW etc from anywhere.

Out onto ether 1:

 e Printing from hosts in A.B.16.0 but nowhere else
 f Bootp from workstations within A.B.16.0 but nowhere else
 g The "usual" paranoid stuff, excluding UDP other than port 53.

I've got most of this working, except for items c and e, printing using
the BSD print spooler, which does things I can't grasp.  So, to get past
this misunderstanding, I've thrown caution to the winds and tried
permitting all UDP between ether 0 and ether 1 but I still can't print
anything.

Can anyone point me in the right direction?  Or explain what on earth
lpr/lpd get up to when they start exchanging packets?  Is there anything
else to worry about (within reason) accessing admin type networks?

Many thanks,
-- 
 F.F. Jacot Guillarmod - Computing Services - Rhodes University - Grahamstown
   Internet: ccfj @
 hippo .
 ru .
 ac .
 za   Phone: +27 461 318284 Fax: +27 461 25049
   The views expressed above are not necessarily those of Rhodes University


Indexed By Date Previous: Re: NCSA Certification
From: Ian Johnstone-Bryden <ianj-b @ dial . pipex . com>
Next: Re: split-brain DNS
From: "Lack Mr G M" <gml4410 @ ggr . co . uk>
Indexed By Thread Previous: SENDING BIG FILES THRU INTERNET
From: Chin Cheng Baey <DSSDBCC @ dbs . com . sg>
Next: Re: split-brain DNS
From: "Lack Mr G M" <gml4410 @ ggr . co . uk>

Google
 
Search Internet Search www.greatcircle.com