brian@natinst.com (Brian H. Powell) (06/21/91)
I'm new to the cisco router, so please bear with me.
I've got some questions about extended access-lists, particularly about
the example in the 8.2 manual on pp. 5-26 and 5-27. The example concerns
allowing all outbound connections, but restricting inbound connections only
to an SMTP port on a particular machine.
I'll type in the outgoing side of their example, which is what I'm
curious about:
access-list 101 permit tcp 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255
access-list 101 deny icmp 128.88.0.0 0.0.255.255 0.0.0.0 255.255.255.255
The first line makes sense, of course. Why, though, deny outgoing
icmp?
Also, in this example, the inbound traffic is limited to source ports
greater than 1023. Is this also appropriate for NNTP, FTP, DNS, and the
other sets of things we typically want to allow? (Perhaps what I'm asking
is what are the various incantations for a typical secure setup where you
don't want to allow incoming telnet, rsh, etc., and restrict certain other
services (such as mail & news) to a specific host.)
Thanks.
Brian