brian@natinst.com (Brian H. Powell) (06/21/91)
I'm new to the cisco router, so please bear with me. I've got some questions about extended access-lists, particularly about the example in the 8.2 manual on pp. 5-26 and 5-27. The example concerns allowing all outbound connections, but restricting inbound connections only to an SMTP port on a particular machine. I'll type in the outgoing side of their example, which is what I'm curious about: access-list 101 permit tcp 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255 access-list 101 deny icmp 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255 The first line makes sense, of course. Why, though, deny outgoing icmp? Also, in this example, the inbound traffic is limited to source ports greater than 1023. Is this also appropriate for NNTP, FTP, DNS, and the other sets of things we typically want to allow? (Perhaps what I'm asking is what are the various incantations for a typical secure setup where you don't want to allow incoming telnet, rsh, etc., and restrict certain other services (such as mail & news) to a specific host.) Thanks. Brian