Lexa Software: Inet-Admins@info.east.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: Inet-Admins

Inet-Admins mailing list archive (inet-admins@info.east.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [inet-admins] Access-lists and ICQ

To: "Yuri A . Tyuryukanov" <inet-admins@info.east.ru>
Subject: Re[2]: [inet-admins] Access-lists and ICQ
From: Rinat Aliev <raliev@procom.kz>
Date: Mon, 12 Jun 2000 20:21:13 +0600
In-reply-To: <20000612170625.A4322@sch.ru>
Organization: Procom
References: <20000612170625.A4322@sch.ru>

Hello Yuri,

Monday, June 12, 2000, 7:06:25 PM, you wrote:

YAT> On Mon, Jun 12, 2000 at 08:00:03PM +0600, Rinat Aliev wrote:
>> Hello All,
>> 
>> подскажите плз, как правильно прописать субж ? не могу закрыть порты
>> на вход так, чтобы аськины мессаги не пролазили.. закрываю все порты
>> выше 1023 - днс перестает работать... может в настройках нат что
>> подкрутить ???

YAT> Hi!
YAT> Закрой UDP dst 0.0.0.0/0.0.0.0 4000
YAT>        TCP dst 0.0.0.0/0.0.0.0 5190

YAT> В 2000-й они теперь ходят TCP'ой по порту 5190. :)> 

YAT> Yuri A. Tyuryukanov
YAT> Tersys company.
YAT> yuri@sch.ru

нифига не помогло - нат все равно мапирует 4000 порт на той стороне,
если у меня открыты порты вышу 1023... :(

вот кусок конфига:

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
ip subnet-zero
no ip domain-lookup
!
!
interface Ethernet0
 ip address 212.19.141.17 255.255.255.240 secondary
 ip address 10.253.253.2 255.255.255.0
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 ip nat inside
!
interface Serial0
 bandwidth 64000
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no ip mroute-cache
 frame-relay lmi-type cisco
!
interface Serial0.1 point-to-point
 ip address 212.19.132.42 255.255.255.252
 ip access-group S-IN in
 ip access-group S-OUT out
 no ip directed-broadcast
 ip nat outside
 frame-relay interface-dlci 403
!
ip nat pool procom 212.19.141.26 212.19.141.30 netmask 255.255.255.240
ip nat inside source list 1 pool procom overload
ip nat inside source static 10.253.253.18 212.19.141.18
ip classless
ip route 0.0.0.0 0.0.0.0 212.19.132.41
!
!
ip access-list extended S-IN
 deny   udp any any eq 4000
 deny   tcp any any eq 5190
 deny   ip host 0.0.0.0 any
 permit tcp any host 212.19.141.18 eq smtp
 permit tcp any any eq ftp-data
 permit tcp any any eq ident
 permit icmp any host 212.19.132.42
 permit tcp any any gt 1023
 permit udp any any gt 1023
 deny   ip any any
ip access-list extended S-OUT
 permit ip 212.19.141.16 0.0.0.15 any
 deny   ip any any
access-list 1 permit 10.253.253.0 0.0.0.255
!
end

Где грабли ?????
-- 
Best regards,
 Rinat Aliev                            mailto:raliev@procom.kz

Deputy of
Technical director
Procom Company

phone: +7-3272-582432
fax:   +7-3272-532676
www:   www.procom.kz

=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html

Follow-Ups:
- Re[2]: [inet-admins] Access-lists and ICQ
  - From: Vladimir B. Grebenschikov

References:
- Re: [inet-admins] Access-lists and ICQ
  - From: Yuri A . Tyuryukanov

Prev by Date: Re: [inet-admins] Access-lists and ICQ
Next by Date: Re[2]: [inet-admins] Access-lists and ICQ
Previous by thread: Re: [inet-admins] Access-lists and ICQ
Next by thread: Re[2]: [inet-admins] Access-lists and ICQ
Index(es):
- Date
- Thread