Re: [nsp] some filter questions

From: Tatsuya Kawasaki (tatsuya@giganet.net)
Date: Sun Feb 15 1998 - 23:39:42 EST


okay let me explain my situation and you tell me what I
REALLY need to do.

suppose

e1: 210.1.1.1 255.255.255.0 with my machine 210.1.1.2
e2: 210.1.2.1 255.255.255.0 with target machine 210.1.2.2

needless say, there are two LANs and I want prevent a
"land" attack to the machine lies in 210.1.2.1/26 segument.

currently when I lanched a land packet from my machine to the machine, it
will kill it.

you are telling me I had to use access-list "out."

Here are dumb questions since I am new in cisco.

1. I understand order of which filter comes, behave differently.
   could you supply me the explain and short explaination why?
2. say on the same port, I put two access-list "in" for exmaple,
   how the set of filtering works? specially if it ocntained some conflict
ie

access-list 105 deny udp any any eq netbios-ns
.....
access-list 106 permit udp any any eq netbios-ns
.....

on e1
ip access list 105 in
ip access list 106 in
-------------------------------

thnx

tatsuya
------------------

finally, for the netbios-ns, in order to communicate with other machine,
both MUST use udp port of 137-139, source and target machine?

If I understand correctly, it seems that source port could be anything,
all they need is to "talk" to correct service port then target machine
"will" assign the different port for the target to communicate with the
target machine.

NOTE:source machine refer to the machine which orginate the negociation
    target machien reger to the machine which " asked" to negociate.
As usual definition...

thank you,

Tatsuya
-------------------------

いつもお世話になっております かわさき@ giganetです。

かわさき

= = = = = =
電話 03-3239-0607 fax 03-3239-2609
business network telecom
http://www.giganet.net

On Fri, 13 Feb 1998, Danny McPherson wrote:

>
> Assuming you wanted to deny access to those ports from hosts *not* off the
> ethernet port, you need "ip access-group 105 out", not "ip access-group 105
> in". If you're sourcing it from a host on the same LAN segment .. the router
> can't do anything about that..
>
> -danny
>
> > I currently use 10.3 and I have a question on ip packet filter.
> >
> > It thought I knew how tut it fails to filter.
> >
> > I create access-list 105 as follow
> > access-list 105 deny udp any any eq netbios-ns
> > access-list 105 deny tcp any any eq 137
> > access-list 105 deny tcp any any eq 138
> > access-list 105 deny tcp any any eq 139
> > access-list 105 permit ip any any
> >
> > and I put into etherport say 5 as follow
> >
> > ip access-list 105 in
> >
> > then I ping with land host 139, it will kill the machine.
> > why?
> >
> > does it suppose to ?
> >
> > I thought I filter the packet via accesss-list 105.
> >
> > what did I do wrong?
> >
> > thnx in adv.
> >
> > tatsuya
> >
> >
> > いつもお世話になっております かわさき@ giganetです。
> >
> >
> >
> >
> > かわさき
> >
> >
> > = = = = = =
> > 電話 03-3239-0607 fax 03-3239-2609
> > business network telecom
> > http://www.giganet.net
> >
>
>
>
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:15 EDT