Sending RST packets

- M
- Matthias Scheler
  
  Contact options for registered users
posted
17 years ago

Fri, Dec 8, 2006 9:13 PM

Hello,

I've got a Cisco (877W with IOS 12.4 in my case) which uses an "access-list" to filter IP traffic on the external interface:

interface Dialer0 [...] ip access-group 101 in [...]

[...] access-list 101 permit tcp any host 1.2.3.4 eq www [...] access-list 101 deny tcp any any [...]

The rules work fine and prevent access to TCP ports which are supposed to be protected.

If an external hosts does however try to connect to one of the protected ports the Cisco seems to send an "host unreachable - admin prohibited filter" ICMP packet like this:

22:07:57.539673 IP 5.6.7.8 > 9.10.11.12: icmp 36: host 1.2.3.4 unreachable - admin prohibited filter

The host I'm using for testing seems to ignore these packets. The previous firewall (a NetBSD system using PF) could be configured to send a TCP-RST packet in this case. Is that possible to configure IOS to do the same?

Kind regards

Loading thread data ...

- M
- Martin Turba
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Sat, Dec 9, 2006 2:54 PM

Matthias Scheler schrieb:

Maybe you could achieve that by using tcp intercept in passive mode and tuning the watch-timeout, e.g.:

! interface Dialer0 ip access-group 101 in ! access-list 101 permit tcp any host 1.2.3.4 eq www [...] access-list 101 deny tcp any any ! ip tcp intercept list 101 ip tcp intercept mode watch ip tcp intercept watch-timeout 5 !

formatting link

Regards, Martin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.