Slide 17 of 17
Notes:
! Sketch of inward ACL for BSDnet strawman -- jxh 7/21/98
permit udp from {ntp1,2} ntp to bsdnet ntp
! might be better to set up one or two ntp servers inside bsdnet??
permit tcp from ns1 dns to sage 1024-4999 established
permit udp from ns1 dns to sage dns
! Above assumes sage (or some other machine) is set up as a slave DNS
! and that all DNS queries from bsdnet are relayed thru it.
permit tcp from serv0{4,5} smtp to bsdnet established
permit tcp from www3 http to bsdnet established
permit tcp from popserv pop to bsdnet established
permit tcp from imapserv imap to bsdnet established
permit tcp from {anywhere? slac?} telnet to bsdnet established
! Can't handle ftp clients without stateful inspection.
permit udp from nethub 7000-7009 to bsdnet 7000-7009! 7000-7009 are AFS ports.
permit udp from {afsdb1,2,3} kerberos to bsdnet
! The above is somewhat risky: it allows slac hosts to send udp packets into
! bsdnet if they're spoofed to be "from" afsdbx's kerberos port.
! To do better requires stateful filtering.
permit tcp from slac lpr to bsdnet established
! Can't handle sql*net without stateful inspection.
permit udp from {netmon, etc} 1024-4999 to {switch hubs} snmp
! Is snmp needed to NT agents?