ACL commands for allowing HTTP

-6

1

Practice COMP Tia networking exam:

Question 286

A network technician wants to allow HTTP traffic through a stateless frewall. The company uses the 192.168.0.0/24 network. Which of the following ACL should the technician configure? (Select TWO)

A. PERMIT SRCIP 192.168.0.0/24 SPORT:80 DSTIP:192.168.0.0/24 DPORT:80
B. PERMIT SRCIP 192.168.0.0/24 SPORT:ANY DSTIP:ANY DPORT 80
C. PERMIT SRCIP:ANY SPORT:80 DSTIP:192.168.0.0/24 DPORT ANY
D. PERMIT SRCIP: ANYSPORT:80 DSTIP:192.168.0.0/24 DPORT:80
E. PERMIT SRCIP:192.168.0.0/24 SPORT:80 DSTIP:ANY DPORT:80

Aoswers B

OK, the question says to pick two answers. In addition, the spacing differences in answers C and D were copied verbatim from the pdf and am not sure if these are typos or are part of the question as a syntax problem. Is a second answer needed? Would answer B suffice? Answer A and E seem redundant, C and D seem insecure by allowing a source IP of Any?

billnyeguy

Posted 2018-08-28T15:52:20.357

Reputation: 1

Question was closed 2018-08-29T06:58:46.000

2Hey, guy, this is the second time you ask for us to explain the questions you don't understand when preparing for the exam. This isn't a support site for students, you know. – harrymc – 2018-08-28T16:03:41.357

2This is the second time you have asked for help on a question, you don't even have the most basic understanding of which is a problem, because you will never pass the Network+ if that doesn't change. You cannot learn the material on the CompTIA Network+ exam by doing practice exams without first understanding the material. As for the usefulness of this question, I have been burned once from one of your questions, turns out your practice exam is full of errors. So I personally don't find "yet another give me the answer" question to be helpful to the community. – Ramhound – 2018-08-28T17:12:17.587

2When an actual CompTIA exam question, requires you to select two answers, it means you need to select two answers. If you only select one answer you get the question incorrect. – Ramhound – 2018-08-28T17:19:38.760

These questions are not regarding "personal or home computer networking" as defined in the on topic page of the help centre. Professional and corporate IT questions should be asked at [sf], but I would first ask if these exam practise questions are acceptable there by posting at their meta site.

– Mokubai – 2018-08-29T07:26:18.967

Answers

0

  1. Since the question does not specify which syntax should be expected for ACLs (i.e. you don't have any reference to validate it against), you can assume the syntax was just made up on the spot and all typos might as well be accidental (possibly after several rounds of printing, retyping, photocopying, and/or OCR'ing).

  2. If you're securing a web server hosting public websites, naturally you will want to accept clients from anywhere (i.e. any source). And vice versa, if you have some clients behind this firewall, usually they will want to access the whole internet (i.e. any destination). In either case, at least one side being "ANY" is inevitable.

  3. TCP connections generally have a well-known port on the 'server' end, but a transient port (random and high-numbered) on the 'client' end. This allows distinguishing between multiple connections from the same client to the same service on the same server.

    This means that you will practically never1 see port 80 on both the "sport" and "dport" at the same time. Therefore you can skip those ACLs as incorrect.

  4. As mentioned, the well-known port (80 for HTTP) is on the 'server' side. The server will be receiving packets with DPORT:80, and sending packets with SPORT:80.

    This means that ACLs with DPORT:80 must have SRCIP that'll match clients (browsers), and/or DSTIP matching the web servers. The reverse applies for SPORT:80.

  5. As mentioned, packets flow in two directions. Since the firewall is stateless, it needs two ACLs, one for each direction.

1 It should be clarified that identical source & destination ports are allowed per protocol, just incredibly rare in general TCP usage. (There are exceptions, e.g. BGP sometimes uses 179 to 179.)

user1686

Posted 2018-08-28T15:52:20.357

Reputation: 283 655

For my own curiosity. What is the correct answer(s)? – Ramhound – 2018-08-28T17:21:05.947

Conveniently, "identical source and destination ports" will already rule out everything except B and C. These are also exactly opposite of each other, so they'd be correct (as far as the question needs). – user1686 – 2018-08-28T17:24:53.707

I thought that was the case, but that statement does not appear in your answer. – Ramhound – 2018-08-28T17:29:59.703

-1: Down-voting because the question is clearly someone asking us to “do their homework” when they glibly state, “Practice COMP Tia networking exam:” These questions should not be encouraged and the Stack Exchange sites should not be such a direct cheat sheet for technical skills like this. – JakeGould – 2018-08-29T17:29:36.903

Asked: 2018-08-28T15:52:20.357

Viewed: 380 times

Active: 2018-08-28T17:14:23.850