simon@sirius.ucs.adelaide.edu.au (Simon Hackett) (01/31/91)
We have the (now common, I think :-) ) problem that our management is insisting we block traffic from the "mud" game from getting into our campus. Right now, we run access control lists on our main cisco which allow a defined list of hosts full access to the internet, and deny access to all others. We have had extra access control lists on the cisco to allow SMTP mail to communicate without restriction from any host, i.e. acl lines of the form access-list xxx permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 25 access-list xxx permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 gt 1023 both for the interface connected to the internet and on interfaces going out to our subnets. the first of these lines permits the smtp protocol connection, and the second permits the connection from the smtp server back to the originating system over an unprivileged port. The trouble, of course, is that "mud" uses unprivileged ports, so the above access control lists permit unresitricted "mud" access to and from our campus. What I'd really like to do is have an access control list set up which permits packets which have a source port of 25, and another acl which permits packets with a _destinatinon_ port of 25. as I understand the current acl structure, I can only specify the destination port number. So: what are the solutions, if any? Is it likely that cisco will enhance the acl syntax at some point to include the examination of both source _and_ target port numbers? Is there some other way to do what we want to do that I haven't thought of? Cheers, Simon Hackett Comms/networking Consultant Adelaide Uni South Australia simon@itd.adelaide.edu.au