[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference irocz::common_brouters

Title:	Digital Brouters Conference
Notice:	New common-code brouter family: RouteAbout, DECswitch 900
Moderator:	MARVIN::HARTLL

Created:	Mon Jul 17 1995
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	929
Total number of notes:	3736

859.0. "Route About - IP access list" by COPCLU::PALMANN () Wed Apr 16 1997 11:28

 >> Route About Access ver 1.1 or ver 2.0-1 and IP access lists <<

I belive there is, a documentation problem, or a fungtionalety problem here.

Looking in the Route About manual, I get the impression, that 
the command:

IP config> add access-control inc 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 23 23

would let any node do a telnet to any node.
and exclude any thing else.
But it do not work that way.
To make it work 
( work = any node can do telnet to any node - only ) 
I had to add :

IP config> add access-control inc 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 1023 65535

In other words, I have to open for all the 'source ports'
This is the same case for all protocols, that behaves like telnet, and have
a destination port like 23, and a source port between 1023 and 65535.

I checked with SMTP & FTP and they have the same feature.

1. Is it realy supose to work this way ?
   Reading the manual, it do not look like it.

1. If it is supose to work this way, is it this not a rather big hole, in
   the filter, if you have to open for the source ports.
  
  
Eksample :


*t 6
Gateway user configuration
Config>p 0
Internet protocol user configuration
IP config>list all
Interface addresses
IP addresses for each interface:
   intf  0   16.181.64.32     255.255.255.0    Network broadcast,    fill 1    
             10.0.0.2         255.0.0.0        Network broadcast,    fill 1    
   intf  1                                     IP disabled on this interface
   intf  2                                     IP disabled on this interface

Routing



Protocols
BOOTP forwarding: disabled
Directed broadcasts: enabled
ARP Subnet routing: disabled
RFC925 routing: disabled
OSPF: disabled
Per-packet-multipath: disabled
RIP: disabled
EGP: disabled

IP config>list acc
Access Control is: enabled
List of access control records:
                                                          Beg End  Beg   End
    Ty Source          Mask      Destination     Mask     Pro Pro  Prt   Prt
1   I  0.0.0.0         00000000  0.0.0.0         00000000 6   6    23    23   
2   I  0.0.0.0         00000000  0.0.0.0         00000000 6   6    1023  65535
IP config>

>> If line 2, in the access list is removed, no telnet i possible from 
>> net 10 to net 16.181.64

				Jan

T.R	Title	User	Personal Name	Date	Lines
859.1	IP access controls use "DESTINATION" port	IROCZ::REUTHER		`Wed Apr 16 1997 16:59`	91
	<<< IROCZ::USER4:[NOTES$LIBRARY]COMMON_BROUTERS.NOTE;1 >>> -< Digital Brouters Conference >- ================================================================================ Note 859.0 Route About - IP access list No replies COPCLU::PALMANN 73 lines 16-APR-1997 07:28 -------------------------------------------------------------------------------- >> Route About Access ver 1.1 or ver 2.0-1 and IP access lists << I belive there is, a documentation problem, or a fungtionalety problem here. Looking in the Route About manual, I get the impression, that the command: IP config> add access-control inc 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 23 23 would let any node do a telnet to any node. and exclude any thing else. But it do not work that way. To make it work ( work = any node can do telnet to any node - only ) I had to add : IP config> add access-control inc 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 1023 65535 In other words, I have to open for all the 'source ports' This is the same case for all protocols, that behaves like telnet, and have a destination port like 23, and a source port between 1023 and 65535. >>The IP access controls use Destination port, not Source port. So >>the first access control you have above should allow any source and >>dest IP addresses to communicate via telnet only if the dest port >>is 23. I was under the impression that the well known port 23 >>was only used for certain connections like console connnections >>and that when you just telnet without a port number specified that >>the dest port would end up being one in the broader range you >>mention above. >> >>Tom I checked with SMTP & FTP and they have the same feature. 1. Is it realy supose to work this way ? Reading the manual, it do not look like it. 1. If it is supose to work this way, is it this not a rather big hole, in the filter, if you have to open for the source ports. Eksample : *t 6 Gateway user configuration Config>p 0 Internet protocol user configuration IP config>list all Interface addresses IP addresses for each interface: intf 0 16.181.64.32 255.255.255.0 Network broadcast, fill 1 10.0.0.2 255.0.0.0 Network broadcast, fill 1 intf 1 IP disabled on this interface intf 2 IP disabled on this interface Routing Protocols BOOTP forwarding: disabled Directed broadcasts: enabled ARP Subnet routing: disabled RFC925 routing: disabled OSPF: disabled Per-packet-multipath: disabled RIP: disabled EGP: disabled IP config>list acc Access Control is: enabled List of access control records: Beg End Beg End Ty Source Mask Destination Mask Pro Pro Prt Prt 1 I 0.0.0.0 00000000 0.0.0.0 00000000 6 6 23 23 2 I 0.0.0.0 00000000 0.0.0.0 00000000 6 6 1023 65535 IP config> >> If line 2, in the access list is removed, no telnet i possible from >> net 10 to net 16.181.64 Jan
859.2		MARVIN::HART	Tony Hart, InterNetworking Prod. Eng. Group	`Thu Apr 17 1997 17:15`	32
	>I belive there is, a documentation problem, or a fungtionalety problem here. Possibly both :-( >Looking in the Route About manual, I get the impression, that >the command: > >IP config> add access-control inc 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 23 23 > >would let any node do a telnet to any node. >and exclude any thing else. >But it do not work that way. >To make it work >( work = any node can do telnet to any node - only ) >I had to add : > >IP config> add access-control inc 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 6 6 1023 65535 You are correct. As Tom pointed out, the access controls only check the Destination Port, and since the destination port in the packets comming from the TELNET server are addressed to the client's source port you have to allow anything in the dynamically assigned range through. I don't know why the access-controls don't allow you to specify a range for the source port as well, which would fix your telnet problem. Submit an IPMT case to get this fixed. I'll make sure that the doc folks are aware of the documentation issues. Tony.
859.3	So what do you suggest?	KEEF::PETERS		`Fri Apr 18 1997 08:29`	13
	Jan, I have looked at the documentation with Tony. What did you read that gave you the impression that your command would work for telnet? There are some suggested examples, but filtering IP is so complex that it would be impossible to identify all the scenarios that do not work. Do you have any suggestions for the docs that may have helped you with this problem? Thanks for any feedback or ideas you can provide. Steve
859.4		COPCLU::PALMANN		`Tue Apr 22 1997 10:58`	67
	Hi Steve, >What did you read that gave you the impression that your command would >work for telnet? I only used telnet as an example. Telnet has the problem, as SMTP and FTP also has the problem. ( these I checked) From the manual : Distributed Routing Software, Routing Protocols User's Guide Chapter 13 - Configuring IP. There is a part about 'Setting IP Access Control' >Here it is written: > >The follow'ing example allows any host to send packets to the SMTP TCP >socket on 192.67.67.20 > add access inc 0.0.0.0 0.0.0.0 192.67.67.20 255.255.255.255 6 6 25 25 This is in principle correct. ( or a half truth :v) A SMTP/Telnet/FTP (and many other protocols), connection is a 'two way connection' where the destination and source port number is NOT the same number So, the example filter only opens for half the communication. When do'ing a TCP SMTP you have a destination port and a source port. The source port tell's the reciever what lay'er 4 protocol to use. ( in the example the destination port is 25 = SMTP ) The destination port is a number witch makes the connection unique. The destination port is between 1023 - 65535. Looking at the communication between to nodes. Communication going one way is Dist. port 23 Source port 5555 and communication going the other way is Dist. port 5555 Source port 23 ( 5555 is just picked as an example ) looking at the example again, add access inc 0.0.0.0 0.0.0.0 192.67.67.20 255.255.255.255 6 6 25 25 and knowing that ( as Tom pointed out ) >The IP access controls use Destination port, not Source port we only open for half the connection. ( or infact, since half a SMTP connection, do not work, you will get no connection from the example in the book ) In more tech. terms, you would let the 'TCP SYN seq. numbers' come trough the router, and block for the 'TCP SYN seq. number ACK' Next item. To get arround this first problem, you have to open for all the port numbers that can possibly answer. This again, opens for, in my opinion, a rather big hole in the filter. I will ses, if I can come up with a good idear for a work-arround Thanks for all the reply'es Jan