>
> You know, that's a good question.. I know that it works but I don't know
> exactly how to explain/understand how exactly it works.. perhaps it keeps
> going down through permits but stops at denys?
>
> On Mon, Feb 23, 1998 at 05:20:01PM -0500, Kelley L. wrote:
> >
> >
> > On Mon, 23 Feb 1998, Stephen Fisher wrote:
> >
> > >
> > > Here are sample rules to allow hosts in xxx to access ports 5000-5010 on a
> > > particular machine (and deny everything else):
> > >
> > > 1 permit xxx.xxx.xxx.0/24 10.1.1.1/32 gt 4999
> > > 2 permit xxx.xxx.xxx.0/24 10.1.1.1/32 lt 5011
> > > 3 deny
> > >
If you are sure that it works, then the manuals aren't telling the
correct story then.
permit - Permits a packet that matches the filter to pass through the
interface.
deny - Stops a packet that matches the filter from passing through the
interface. The packet is dropped and an ICMP "Host Unreachable"
message is sent to the source address.
I did figure out how to rewrite the filter above with this method:
1 deny 0.0.0.0/0 10.1.1.1/32 gt 5009
2 permit xxx.xxx.xxx.0/24 10.1.1.1/32 gt 4099
3 deny
that should only let xxx.xxx.xxx.xxx addresses connect to ports 5000 thru
5009. and everything else be denied, I think? Of course as soon as you set
the filter and left, you couldn't telnet back in, except for the 5000 to
5009 ports and they probably couldn't talk back. ;)
later
Kelley
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>