[nsp] reflexive access lists

From: Edward Henigin (ed@staff.texas.net)
Date: Fri Sep 24 1999 - 15:04:36 EDT


        I'm trying to figure out if reflexive access lists would
be a benefit in our network here.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt3/screflex.htm

        It looks to me that they would be useful where, for example,
we wanted to let people play quake, but didn't want to let them
run quake servers. So we'd set up a rule that blocked inbound udp
to port 27500 (or whatever it is), allowed outbound udp to 27500,
then when someone connected to an outside quake server, that would
open up a hole for the return traffic.

        (please for the sake of this train of thought, ignore
considerations like "what if they use a non-standart port" or
whatever. I'm just trying to get the concepts and usefulness in
place in my head.)

        I don't see where reflexive access-lists would be useful
for tcp traffic, because we generally just use 'permit tcp any any
estab' on our inbound filters. It seems like it would only be
useful on udp (or icmp etc) traffic because of the lack of any kind
of 'established' state.

        What I was really hoping for was some way to allow things
like non-passive ftp to work. reflexive access-lists clearly don't
do that. <sigh>

        Thoughts?

        Ed



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:06 EDT