Lexa Software: Inet-Admins@info.east.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: Inet-Admins

Inet-Admins mailing list archive (inet-admins@info.east.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [inet-admins] acl ... established?

To: inet-admins@info.east.ru
Subject: Re: [inet-admins] acl ... established?
From: Dmitry Valdov <dv@dv.ru>
Date: Tue, 8 Jan 2002 13:03:06 +0300 (MSK)
Delivered-to: inet-adm-outgoing@frog.east.ru
Delivered-to: inet-admins@info.east.ru
In-reply-to: <3C3AC2D4.396FD9F7@vsu.ru>




On Tue, 8 Jan 2002, Andy Igoshin wrote:

> Date: Tue, 08 Jan 2002 12:58:44 +0300
> From: Andy Igoshin <ai@vsu.ru>
> Reply-To: inet-admins@info.east.ru
> To: inet-admins@info.east.ru
> Subject: Re: [inet-admins] acl ... established?
> 
> Dmitry Valdov wrote:
> > 
> > Hi!
> > 
> > при acl, вида:
> > permit tcp any any established
> > deny tcp any host myhost eq verysecureport
> > ...
> > 
> > Я смогу послать снаружи на myhost:verysecureport tcp пакеты с признаком
> > established. В случа, если established будет в конце acl - не смогу.
> 
> тогда aclи вида:
> 
> permit tcp any host myhost eq myport
> permit tcp any any  established
> deny   tcp any any  ; опционально
> 
> и
> 
> permit tcp any any  established
> permit tcp any host myhost eq myport
> deny   tcp any any  ; опционально
> 
> эквивалентны и одинаково не защищены от пакета с признаком established?

Угу.

Dmitry.

> 
>  
> > Dmitry.
> > 
> > On Tue, 8 Jan 2002, Andy Igoshin wrote:
> > 
> > > Date: Tue, 08 Jan 2002 10:50:27 +0300
> > > From: Andy Igoshin <ai@vsu.ru>
> > > Reply-To: inet-admins@info.east.ru
> > > To: inet-admins@info.east.ru
> > > Subject: Re: [inet-admins] acl ... established?
> > >
> > > Dmitri Kalintsev wrote:
> > > >
> > > > On Mon, Jan 07, 2002 at 04:34:55PM +0300, Andy Igoshin wrote:
> > > > > Hi!
> > > > >
> > > > > Несколько раз встречал упоминание, что established не надо ставить в
> > > > > начало acl.
> > > > > Вопрос - почему? Вроде как в начале ему самое место.
> > > >
> > > > Потому, что обработка листов прекращается после мэтча.
> > >
> > > Я в курсе. И?
> > > Соединения уже установлены, т.е. один раз проверились по листу.
> 
> 
> -- 
> Andy Igoshin <ai@vsu.ru>
> Phone: +7 0732 522406                    Voronezh State University
> Fax:   +7 0732 789820                    Network Operation Center
> CA:    http://noc.vsu.ru/ca/             Voronezh, Russia
> 
> =============================================================================
> "inet-admins" Internet access mailing list. Maintained by East Connection ISP.
> Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
> Archive is accessible on http://info.east.ru/rus/inetadm.html
> 


=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html

References:
- Re: [inet-admins] acl ... established?
  - From: Andy Igoshin

Prev by Date: Re: [inet-admins] acl ... established?
Next by Date: Re: [inet-admins] acl ... established?
Previous by thread: Re: [inet-admins] acl ... established?
Next by thread: Re: [inet-admins] acl ... established?
Index(es):
- Date
- Thread