Which pair of firewall rules restrict SSH access to the source subnet 192.168.0.0/16?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the MTCNA Foundation Exam. Prepare with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your certification!

Multiple Choice

Which pair of firewall rules restrict SSH access to the source subnet 192.168.0.0/16?

Explanation:
To restrict SSH access to a specific source subnet, you want a two-rule sequence on the input chain: first, allow SSH from that subnet, then drop SSH from all other sources. SSH uses TCP port 22, so the allowance must explicitly match protocol tcp and destination port 22 with the source-address 192.168.0.0/16. Because rules are evaluated top to bottom, the accept rule will permit traffic from that subnet and stop further processing for those packets; any other source won’t match the first rule and will reach the second rule, which drops SSH (destination port 22). This ensures only hosts from 192.168.0.0/16 can reach SSH, while everyone else is blocked. The other described approach fails because it either checks a different port (for example, port 23, which is not SSH) or uses a drop rule without a preceding allow for the intended subnet, which would either block SSH entirely or not properly restrict access as intended.

To restrict SSH access to a specific source subnet, you want a two-rule sequence on the input chain: first, allow SSH from that subnet, then drop SSH from all other sources. SSH uses TCP port 22, so the allowance must explicitly match protocol tcp and destination port 22 with the source-address 192.168.0.0/16. Because rules are evaluated top to bottom, the accept rule will permit traffic from that subnet and stop further processing for those packets; any other source won’t match the first rule and will reach the second rule, which drops SSH (destination port 22). This ensures only hosts from 192.168.0.0/16 can reach SSH, while everyone else is blocked.

The other described approach fails because it either checks a different port (for example, port 23, which is not SSH) or uses a drop rule without a preceding allow for the intended subnet, which would either block SSH entirely or not properly restrict access as intended.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy