dyer@spdcc.COM (Steve Dyer) (01/17/91)
----CISCO-- [net a.b.c.0] HOSTB |----|-----------| HOSTA |-----[slip]----| [net a.b.d.0] HOSTC |--------------------| | HOSTD, HOSTE, etc. The Cisco has a static route for network a.b.d pointing to the ethernet address of HOSTA. I would like to set up an access list on the Cisco which limits incoming TCP connections to net a.b.d to the SMTP port on HOSTC, However, I would like any of the hosts on net a.b.d to be able to initiate connections to anyplace in the rest of the net. At the same time, I do not want to limit access in any way on net a.b.c. The brief description in the gateway manual doesn't make the required statements leap out at me. Has anyone done the before who can provide the boilerplate? Thanks, -- Steve Dyer dyer@ursa-major.spdcc.com aka {ima,harvard,rayssd,linus,m2c}!spdcc!dyer dyer@arktouros.mit.edu, dyer@hstbme.mit.edu
barmar@think.com (Barry Margolin) (01/18/91)
In article <6033@spdcc.SPDCC.COM> dyer@spdcc.COM (Steve Dyer) writes: >----CISCO-- [net a.b.c.0] HOSTB > |----|-----------| > HOSTA > |-----[slip]----| [net a.b.d.0] > HOSTC > |--------------------| > | > HOSTD, HOSTE, etc. > >The Cisco has a static route for network a.b.d pointing to the ethernet >address of HOSTA. I would like to set up an access list on the Cisco >which limits incoming TCP connections to net a.b.d to the SMTP port >on HOSTC, However, I would like any of the hosts on net a.b.d >to be able to initiate connections to anyplace in the rest of the net. >At the same time, I do not want to limit access in any way on net >a.b.c. Designing access lists isn't too hard once you get the hang of it, but it is an arcane art, and it is easy to make mistakes. I think the following will do what you want: # Allow all ICMP traffic access-list 100 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 # Allow all traffic on established TCP connections (an 8.2 feature) access-list 100 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 established # Allow all traffic to net a.b.c access-list 100 permit ip 0.0.0.0 255.255.255.255 a.b.c.0 0.0.0.255 # Allow connections to HOSTC's SMTP port access-list 100 permit tcp 0.0.0.0 255.255.255.255 a.b.d.HOSTC 0.0.0.0 eq 25 # Allow all traffic from net a.b.c access-list 100 permit ip a.b.c.0 0.0.0.255 0.0.0.0 255.255.255.255 # Disallow all other IP traffic to net a.b.d access-list 100 deny ip 0.0.0.0 255.255.255.255 a.b.d.0 0.0.0.255 Then in the configuration for the cisco interface to net a.b.c.0, add the "access-group 100" statement. The last statement isn't actually necessary, as the default is to deny any traffic not specifically permitted. Also, I've had some confusing behavior with the new "established" option to IP extended access lists, but I haven't yet investigated it enough to be able to send a detailed bug report to cisco. Note also that you didn't mention anything about UDP traffic. The above configuration will allow hosts on net a.b.d to send UDP datagrams, but they won't be able to receive any replies from hosts on the other side of the cisco. To allow this, insert the following before the last statement above: # Disallow incoming NFS requests access-list 100 deny udp 0.0.0.0 255.255.255.255 a.b.d.0 0.0.0.255 eq 2049 # Allow incoming UDP packets to the domain port (some Unix systems # apparently use it as the source port for queries, for some reason) access-list 100 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53 # Allow other UDP packets to high-numbered ports (they're probably replies) access-list 100 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 gt 1023 Note the important word "probably" in the comment before the last statement. UDP provides no unambiguous way to distinguish queries from replies; the closest you can come is to assume that datagrams destined to low-numbered ports are queries and those destined for high-numbered ports are replies. The preceding statements handle the important exceptions to this rule that I'm aware of (most other Sun RPC-based services also use high-numbered ports, but they generally can't do any damage, and you usually have to contact the port-mapper (which uses a low-numbered port) to find out their port numbers (whereas NFS's use of 2049 is hard-coded in some implementations). -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar