access-list??? 1

[brooze]

Please let meknow what this two lines mean:
.
.
access-list 105 permit tcp any any established
access-list 105 permit udp any any gt 1024
.
.
.
What kind of tcp traffic are allowed by the establish
what kind of udp traffic are allowed by gt 1024


thanks and I remain,

 

[brontosaurus]

technically speaking, the "established" keyword checks for either the ACK or RST bit to be set on an inbound packet. Simply put, it blocks inbound packets that have not originated from sessions started on the inside of the router.
the second command allows any UDP sessions that have assigned ports greater than (gt) 1024.

 

[Speaker]

Bronto, (why does that name make me think of Fred Flintstone and a brontoburger?)

I would love to be able to ping out from my network, while blocking inbound ping scans on my PIX (I know... wrong forum) I just tried

access-list outside permit icmp any any established

hoping it would only allow pings that had originated from within my network, but the PIX doesnt like the command. Does the 'established' operator not work with ICMP packets?

 

[brontosaurus]

Hehe, brontoburger...good one. The ribs were good too...

Anyway, I'm not nearly as learned as the others in this forum (mostly i just sit quietly), but I don't think the established command is the same on the PIX. I believe it's a port operator in that case, that is to say, it allows inbound connections on specific ports in response to packets that have originated from the inside. I think you're looking for something like this:

access-list outside deny icmp any any echo-reply
access-list outside permit icmp any any unreachable

if you bound this to the outside interface, it would result in "destination host unreachable" responses to internet users trying to ping your firewall.

That may not be the best way to go, so anyone else please feel free to butt in...