simon@sirius.ucs.adelaide.edu.au (Simon Hackett) (01/31/91)
We have the (now common, I think :-) ) problem that our management is insisting
we block traffic from the "mud" game from getting into our campus.
Right now, we run access control lists on our main cisco which allow a
defined list of hosts full access to the internet, and deny access to all
others.
We have had extra access control lists on the cisco to allow SMTP mail to
communicate without restriction from any host, i.e. acl lines of the form
access-list xxx permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 25
access-list xxx permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 gt 1023
both for the interface connected to the internet and on interfaces
going out to our subnets.
the first of these lines permits the smtp protocol connection, and the
second permits the connection from the smtp server back to the originating
system over an unprivileged port.
The trouble, of course, is that "mud" uses unprivileged ports, so the
above access control lists permit unresitricted "mud" access to and from
our campus.
What I'd really like to do is have an access control list set up which
permits packets which have a source port of 25, and another acl which
permits packets with a _destinatinon_ port of 25. as I understand the
current acl structure, I can only specify the destination port number.
So: what are the solutions, if any? Is it likely that cisco will enhance the
acl syntax at some point to include the examination of both source _and_
target port numbers? Is there some other way to do what we want to do that
I haven't thought of?
Cheers,
Simon Hackett
Comms/networking Consultant
Adelaide Uni
South Australia
simon@itd.adelaide.edu.au