ACLs and TCP/IP

NocturnalNocturnal Posts: 44Member ■■□□□□□□□□
Hello ALL!!

I was doing some additional background reading on ACLs and came across something that brought questions to mind.

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1
access-list 101 permit udp host 10.1.1.2 host 172.16.1.1
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

The paper states that the first three lines aren't necessary because TCP includes Telnet, and IP includes TCP, UDP, and ICMP. I'm wondering, what OTHER protocols do they include?

Just to make sure I'm getting this, the first statement says only allow packets with a TCP header from host 10.1.1.2 to host 172.16.1.1 to dest port 23, telnet sessions only, whereas the second imlplies any destination port? The third allows UDP in any port? The last encompasses all because IP includes TCP and UDP (as well as others)?

Let's say you just don't want anyone telnetting into network 172.16.1.0, would it be:

access-list 101 deny tcp host 10.1.1.2 host 172.16.1.1 eq telnet
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

You have to deny first, otherwise the telnet session slips through??

Is this the DEAL??

Also, I have been able to find lists of well known TCP ports. Does anyone know of a list that compares well known TCP ports to UDP ports?

Thanks!!
"...a long habit of not thinking a thing wrong, gives it a superficial appearance of being right,..."
--Tom Paine

Comments

  • tunerXtunerX Posts: 447Member ■■■□□□□□□□
    http://www.iana.org/assignments/port-numbers

    Permitting and Denying is based on what and how many. If you have several flows that you want to deny but allow everything else then you do deny firsts. If you have several flows that you want to permit then you permit those first. As soon as a match is made in the access list the access-list control exits the loop of reading the lines.

    access-list 100 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
    access-list 100 deny tcp any any eq telnet
    access-list 100 permit ip any any

    This would only allow telnets based on one particular flow 10.1.1.2 to 172.16.1.1. All other telnets would be blocked. Then any traffic besides telnet is allowed through.


    access-list 100 deny tcp any any eq telnet
    access-list 100 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet
    access-list 100 permit ip any any

    Absolutely no one would be able to telnet since the first comparison denies all telnet traffic. As soon as a telnet packet is compared to the list it matches the first line, the traffic is blocked and the ACL process exits. The second line might as well not even be there.

    You have to check to make sure traffic is identified in the order you want to identify it.
  • NocturnalNocturnal Posts: 44Member ■■□□□□□□□□
    BTW...very cool to be chatting with Europeans. You don't know how much willpower I have to call upon to keep politics out of my posts here....I reserve those comments for other places.
    "...a long habit of not thinking a thing wrong, gives it a superficial appearance of being right,..."
    --Tom Paine
Sign In or Register to comment.