From: Nick Shah (nshah@xxxxxxxxxxxxxx)
Date: Fri Jun 14 2002 - 00:28:58 GMT-3
Thomas,
I was equally confused about how can we be tested on the usage of extended
access lists. However, a glance thru the Networkers 2001 / Security +
Accesslists section seemed to get rid of some confusion.. (ps. I havent
taken the lab yet, I am just guessing)
for eg. http traffic (from RtrA) will bear a source port of > 1024 and
destination port of 80 (return traffic will be port 80 as source )
same way ftp traffic (from RtrX) will bear a source port of > 1024 and
destination port of 20/21
Now if a Q says "do not allow web traffic to initiate the isdn link" we can
deduce that any activity going to port 80 (destination) should be
blocked/denied. If it says block all web traffic, it would mean source port
>1024 --- > dest 80 and vice versa.
Any case, if its not as clear as I mentioned in the above eg. we can always
ask the Proctor ? I guess asking a *clarifying Q* would definitely fetch an
answer from them.
rgds
Nick
----- Original Message -----
From: "Thomas Larus" <tlarus@cox.net>
To: <ccielab@groupstudy.com>
Sent: Friday, June 14, 2002 2:04 AM
Subject: Guidance on when to use extended access-lists that cover both
directions of a tcp flow (any an eq 2065, any eq 2065 any)
> I love the feature in custom and priority queuing that permits you to
> specify a port number or name and it will catch both directions), but what
> about where you have to use an extended access-list to specify your
traffic.
> Any general rule of thumb about when to specify the port in both
directions.
> Example.
> access-list 165 permit any any eq 2065
> access-list 165 permit any eq 2065 any
>
> You can't always be sure who will be initiating the tcp session (unless
> someone tells you its a webserver, so all www sessions will be initiated
by
> surfers. Even then, I can't believe it would always be that simple.
This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:32 GMT-3