Re: [nsp] some filter questions

From: Danny McPherson (danny@genuity.net)
Date: Fri Feb 13 1998 - 02:47:02 EST


Assuming you wanted to deny access to those ports from hosts *not* off the
ethernet port, you need "ip access-group 105 out", not "ip access-group 105
in". If you're sourcing it from a host on the same LAN segment .. the router
can't do anything about that..

-danny

> I currently use 10.3 and I have a question on ip packet filter.
>
> It thought I knew how tut it fails to filter.
>
> I create access-list 105 as follow
> access-list 105 deny udp any any eq netbios-ns
> access-list 105 deny tcp any any eq 137
> access-list 105 deny tcp any any eq 138
> access-list 105 deny tcp any any eq 139
> access-list 105 permit ip any any
>
> and I put into etherport say 5 as follow
>
> ip access-list 105 in
>
> then I ping with land host 139, it will kill the machine.
> why?
>
> does it suppose to ?
>
> I thought I filter the packet via accesss-list 105.
>
> what did I do wrong?
>
> thnx in adv.
>
> tatsuya
>
>
> いつもお世話になっております かわさき@ giganetです。
>
>
>
>
> かわさき
>
>
> = = = = = =
> 電話 03-3239-0607 fax 03-3239-2609
> business network telecom
> http://www.giganet.net
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:15 EDT