|
Home > Archive > CCNP > November 2001 > ACLs - fin, ack, established
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
ACLs - fin, ack, established
|
|
| firechicken 2001-11-12, 10:58 pm |
| Could someone please explain to me what the FIN, ACK, and ESTABLISHED options mean regarding ACLs using tcp? If you could give me an example of when you'd use these options, I'd appreciate it.
TIA.
In case someone wants to throw me a Cisco link, don't waste your time. | |
| MadChef 2001-11-13, 5:42 am |
| I've never actually seen the FIN or ACK keywords in IOS. Where did you find these?
The established keyword matches packets with the ACK or RST bits set in the TCP header. They would be used to find anything that isn't a SYN packet, or an attempt to set up a tcp connection. Creative use of the established keyword can yield a very primitive firewall by permitting ACK packets and denying SYNs.
MadChef | |
| firechicken 2001-11-13, 10:35 am |
| Looks like I need to check out my RFCs. The reason I ask is, I was playing around and tried to block myself from using port 80, but embarassingly couldn't do it (as far as the internet was concerned). But...I blocked myself from accessing the switch using the Web interface. Here's a partial sh run from my 2900:
interface VLAN1
ip address 192.168.0.5 255.255.255.0
ip access-group 101 in
no ip directed-broadcast
no ip route-cache
!
access-list 101 deny tcp any any eq www
access-list 101 permit ip any any
If anyone sees anything wrong, please clue me in.
Here's some output from my 2900 XL running Enterprise Edition.
Version 12.0(5.3)WC(1)
LosAngeles(config)#access-list 101 deny tcp any any ?
ack Match on the ACK bit
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr> | |
|
| I believe the access-list should be applied as both in and out,,,
just my idea, but the reason being when you access the internet as client on your switch your going outbound, so the access-group applied "in" would not stop this transmission, however it would stop inbound connection to the switch through web-management...
could be worng, but thats what popped up in my head.... |
|
|
|
|