Firewalls: Re: SUMMARY: Recommendations for Accesslists on Cisco?

Firewalls
(November 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: SUMMARY: Recommendations for Accesslists on Cisco?
From:	Goran Svensson <goran @ btj . se>
Date:	Fri, 25 Nov 1994 14:59:26 +0100 (NFT)
To:	firewalls @ greatcircle . com

On Tue, 22 Nov 1994, Thomas Bleek wrote:

> Hello,
> here is my summary about cisco-accesslists. The good news is, that
> I was told about a big hole in my filterrules. Very bad was the idea
> to let UDP-packets other than for the DNS-port 53

Why ?

> from the Internet to the inside. Some sugessted to also deny incoming
> TCP and to use the established option but that is not working
> with ftp. it turns out, that the external server opens the dataconnection
> to the internal client (after the port-command from the client).
> so there is no way other than modifying clients or to use the
> PASV (which is not implemented on all servers).

What about open for >1000 established 
and for the ftp-data port ?

Indexed By Date	Previous:	Re: MBONE and Firewalls From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Date	Next:	Security of UUCP and X.25 data networks From: Yan Fa LI <yanfali @ hpbbi30 . bbn . hp . com>
Indexed By Thread	Previous:	SUMMARY: Recommendations for Accesslists on Cisco? From: Thomas Bleek <thbl4000 @ bronto . zrz . tu-berlin . d400 . de>
Indexed By Thread	Next:	Re: SUMMARY: Recommendations for Accesslists on Cisco? From: Dale Drew <ddrew @ druid . reston . mci . net>