| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 787.1 | | MARVIN::HART | Tony Hart, InterNetworking Prod. Eng. Group | Fri Mar 07 1997 08:32 | 31 |
| >add access-control exclusive 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0 255 512 514
I suspect this line is the cause of your problems. You might (reasonably)
expect that this line would only exclude a TCP (or UDP) packet addressed to
ports 512,513 or 514.
In fact what it does is to exclude every packet except a TCP or UDP packet
which is NOT addressed to ports 512,513 or 514. In other words the only
packets which are not excluded by this filter are TCP and UDP packets to
destination ports other than 512,513 and 514.
Arguably this is a bug, its certainly not what I would expect after reading the
documentation.
I think you probably want something like the following set of controls.
add access-control inclusive 203.0.170.6 255.255.255.255 -1
add access-control inclusive 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 8080 8080
add access-control exclusive 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 17 17 512 514
add access-control exclusive 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 512 514
add access-control exclusive 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 23 23
add access-control inclusive 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 -1
This does...
Allow node 203.0.170.6 access to anything
Allow any node access to Web Proxy
Disallow any node access to UDP ports 512-514
Disallow any node access to TCP ports 512-514
Disallow any node access to TELNET
Allow any thing else
|
| 787.2 | typo in .-1 | MARVIN::HART | Tony Hart, InterNetworking Prod. Eng. Group | Mon Mar 10 1997 05:52 | 9 |
| There is a typo in the first access control in the previous reply, it should
read ...
add access-control inclusive 203.0.170.6 255.255.255.255 0.0.0.0 0.0.0.0 -1
^^^^^^^^^^^^^^^
thanks to Chuck for spotting this.
Tony
|
| 787.3 | Customer tried and still does not work | NETRIX::"Youda.Kopel@meo.mts.dec.com" | Youda Kopel | Mon Mar 17 1997 01:03 | 33 |
| Dear Chuck and Tony ,
Sorry for the long delay. The customer just got back to me on this one. Here
it
is :
Youda,
I tried the work around that suggested and it still doea not
work. I configured filters (as per the suggestion) for RIP,
DNS and 8080 and denied telnet. With this configuration,
I was unable to do any DNS lookups and even using the correct IP
address I was unable to access the Internet on 8080. Telnet was
disabled.
Robert....
______________________________________________________________________________
Star Systems Pty. Ltd. Robert Cooper
Brisbane Queensland Systems Engineer
Australia robert.cooper@starsys.com.au
Is there any way to do what Robert is trying to acheive ?????
Hope to hear from you guys......
Many Thanks in advance,
Youda Kopel ,
NPB Melb / Aust.
[Posted by WWW Notes gateway]
|
| 787.4 | More info needed. | MARVIN::HART | Tony Hart, InterNetworking Prod. Eng. Group | Mon Mar 17 1997 07:28 | 9 |
| Please post the output of the "IP Config>LIST ALL" command.
Access controls work on the DECswitch so this *may* well be a configuration
problem, without the above information its going to be difficult to help.
One common problem is that people forget about return paths, so although
access from the host to the server is allowed, the controls may prevent
access from the server to the host.
|
| 787.5 | The info you have requested | NETRIX::"Youda.Kopel@meo.mts.dec.com" | Youda Kopel | Tue Mar 18 1997 03:39 | 62 |
| Dear Tony ,
Thank you for the help you have been provididng . I have attached the customer
reply to the info you have requested, here it is :
IP config>list all
Interface addresses
IP addresses for each interface:
intf 0 IP disabled on this
interface
intf 1 203.0.170.252 255.255.255.0 Network broadcast, fill
1
intf 2 192.168.1.252 255.255.255.0 Network broadcast, fill
1
intf 3 192.168.0.1 255.255.255.0 Network broadcast, fill
1
intf 4 IP disabled on this
interface
intf 5 IP disabled on this
interface
Router-ID: 203.0.170.252
Routing
Protocols
BOOTP forwarding: disabled
Directed broadcasts: enabled
ARP Subnet routing: disabled
RFC925 routing: disabled
OSPF: disabled
Per-packet-multipath: disabled
RIP: enabled
RIP default origination: disabled
Per-interface address flags:
intf 0 IP & RIP are disabled on this interface
intf 1 203.0.170.252 Send net, subnet and default routes
intf 2 192.168.1.252 Send no routes
intf 3 192.168.0.1 Send no routes
intf 4 IP & RIP are disabled on this interface
intf 5 IP & RIP are disabled on this interface
Per-interface Triggered Rip values :
Accept RIP updates always for:
[NONE]
EGP: disabled
END.......................
I hope you can help on this one ,
Many Thanks in advance ,
Youda Kopel ,
NPB Melb / Aust.
[Posted by WWW Notes gateway]
|
| 787.6 | | MARVIN::HART | Tony Hart, InterNetworking Prod. Eng. Group | Tue Mar 18 1997 07:20 | 8 |
| Actually I need the access controls which I thought was included in the
LIST ALL command but isn't, sorry about that.
Could you post the results of
IP Config>LIST ACCESS
Tony
|