Help with ACL

kt2003
kt2003 used Ask the Experts™
on
Let's say that I want to open and redirect all the SMTP traffic that reach my ADSL router to my internal mail server (192.168.1.34)
The ACL that it seems to work is
permit tcp any gt 1023 host 192.168.1.34 eq smtp
This ACL will be aaplied to the external interface (in) of the ADSL router.
Could any one explain why "permit tcp any host 192.168.1.34 eq smtp" might not work.
If smtp uses port 25 why we have to enable any port greater than 1023?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
permit tcp any host 192.168.1.34 eq smtp would work.

The first one requires that the source port be greater than 1023.  Someone must believe it is safer to accept connections from servers that are using outgoing ports above the "root reserved" port numbers.

Author

Commented:
Kevin could you please explain what is the different between the source port in this case have to be bigger than 1023 and the eq smtp (25).
Commented:
The permit statement in an ACL has the following format:

permit <protocol> <source> [<source port options>] <destination> [<destination port options>]

So to break down
permit
<protocol> = tcp
<source> = any
<source port options> = gt 1023
<destination> = host 192.168.1.34
<destination port options> = eq 25


Source is the host that is connecting to you (the remote ip).  
All tcp connections also have a source port, in addition to a destination port.

Most connections are sourced from ports above 1023.  Ports 1023 and below are "reserved" in the unix environment for processes being run as root.  Older windows platforms had no such restriction.

So, someone thought that having gt 1023 is safer for source ports.  

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial