Filtering on source port (was priority lists: telnet over FTP)

Filtering on source port (was priority lists: telnet over FTP)

Post by Tim Guarnie » Sun, 29 Mar 1992 10:07:18



Quote:>> priority-list <list> protocol ip <queue> ip tcp <port>
>> This will assign all packets with TCP source or destination port equal
>> to <port> to the specified <queue>.  You can also use "ip udp" for
>> prioritizing UDP packets.

Hmm.  I'm not trying to prioritize traffic, per se.  What I am trying to
do is only allow certain types of TCP connections (in certain directions)
through the IGS.  For example:

        "inbound" -->
                       |
        <---> IGS <--->|  a.l. = access list
        a.l.      a.l. |  
        101       100  |- host (address a.b.c.d)
                       |
        <-- "outbound"

access-list 100 permit tcp 0.0.0.0 255.255.255.255 a.b.c.d 0.0.0.0 eq 21
access-list 100 permit tcp 0.0.0.0 255.255.255.255 a.b.c.d 0.0.0.0 eq 20

Will permit "inbound" traffic from any source address/port to port 20/21 on host
a.b.c.d.  If there are no extended access lists on the "outbound" port, things
work fine.  If there are, then you need to explicitely allow the connection
to succeed.  For the sake of this example, I will put an access list on
the outbound port, although they aren't needed for what I am trying to
accomplish.

Now, say that you want to permit "outbound" connections from host a.b.c.d to
any destination address, ports 20 & 21:

access-list 101 permit tcp a.b.c.d 0.0.0.0 0.0.0.0 255.255.255.255 eq 20
access-list 101 permit tcp a.b.c.d 0.0.0.0 0.0.0.0 255.255.255.255 eq 21

To allow for the "reverse" half of this connection, you need to add the
following rule to access-list 100:

access-list 100 permit tcp 0.0.0.0 255.255.255.255 eq 20 a.b.c.d 0.0.0.0
access-list 100 permit tcp 0.0.0.0 255.255.255.255 eq 21 a.b.c.d 0.0.0.0

Currently, I can't do this.  The only way I can allow the connection to
succeed (given the current syntax) is to use:

access-list 100 permit tcp 0.0.0.0 255.255.255.255 a.b.c.d 0.0.0.0

which is basically pointless.  It allows any host, any port to connect to
host a.b.c.d, any port.  This is undesirable.

So, the $64 K question is: Can I filter on source port in 8.3(1)?
--
--

Adobe Systems Incorporated, Mountain View, CA   adobe!timg

 
 
 

Filtering on source port (was priority lists: telnet over FTP)

Post by Tony » Sun, 29 Mar 1992 16:23:36


        "inbound" -->
                       |
        <---> IGS <--->|  a.l. = access list
        a.l.      a.l. |  
        101       100  |- host (address a.b.c.d)
                       |
        <-- "outbound"

    Now, say that you want to permit "outbound" connections from host a.b.c.d to
    any destination address, ports 20 & 21:

    access-list 101 permit tcp a.b.c.d 0.0.0.0 0.0.0.0 255.255.255.255 eq 20
    access-list 101 permit tcp a.b.c.d 0.0.0.0 0.0.0.0 255.255.255.255 eq 21

    To allow for the "reverse" half of this connection, you need to add the
    following rule to access-list 100:

    access-list 100 permit tcp 0.0.0.0 255.255.255.255 eq 20 a.b.c.d 0.0.0.0
    access-list 100 permit tcp 0.0.0.0 255.255.255.255 eq 21 a.b.c.d 0.0.0.0

    Currently, I can't do this.  

Have you looked at using the "established" keyword?  Does this do what
you want?

access-list 100 permit tcp 0.0.0.0 255.255.255.255 a.b.c.d 0.0.0.0 established

    So, the $64 K question is: Can I filter on source port in 8.3(1)?

Nope, sorry.

--

                       The net is not what it seems.