[c-nsp] acl to block traffic one way
Gert Doering
gert at greenie.muc.de
Sun Mar 25 12:15:02 EST 2007
Hi,
On Sat, Mar 24, 2007 at 11:38:59PM -0500, Dan wrote:
> I work for a school district and the school with subnet 192.168.1.0/24
> has a curious group of people that just don't need to see any of the
> devices on 192.168.75.0/24 , but the devices on 75.0/24 need to see 1.0/24.
"Need to see" is a concept unknown to IP packets.
You need to:
- define IP *services* that should be accessible ("HTTP")
- map that to the flow of packets (TCP SYN, TCP established, ...)
- make that into an ACL
- apply ACL inbound or outbound to the relevant packets
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list