[c-nsp] ACL making me insane

Luan Nguyen luan.m.nguyen at gmail.com
Tue Jun 3 14:32:47 EDT 2008


Established key word match on ACK and RST i think.  When someone first
contact your webserver, there is nothing established about it i don't think
:P
I, as a matter of choice, stay away from establish and always allow matching
counter flows in the ACL.

-lmn


On Tue, Jun 3, 2008 at 1:58 PM, Enno Rey <erey at ernw.de> wrote:

> Hi,
>
> On Tue, Jun 03, 2008 at 01:37:30PM -0400, Luan Nguyen wrote:
> > The problem is when someone contacted your protectedserver, you need to
> > allow the counter flow of that.
> > For example, you need to have:  permit tcp host PROTECTEDSERVER eq 80 any
> gt
> > 1024  so that the web counter flow will work (counter flow of this line:
> > permit tcp any host PROTECTEDSERVER eq 80)
>
> this is not correct as there's the "tcp any any established" rule which
> should (and does) permit that.
>
> thanks,
>
> Enno
>
>
>
>
>
>
>
> >
> > -lmn
> >
> > On Tue, Jun 3, 2008 at 1:23 PM, Skeeve Stevens <skeeve at skeeve.org>
> wrote:
> >
> > >
> > > Hey all,
> > >
> > > Got an issue with the below ACL.  The inbound to the PROTECTEDSERVER is
> > > working ok.. port 80 is allowed, RDP from one trusted machine.
> > > But. on the outbound, with the deny ip any any active (notice the !),
> the
> > > inbound wont work, nor can the server get out.
> > >
> > > What am I missing?
> > >
> > > Basically what I want to do is deny all, allow only certain things..
> > >
> > > .Skeeve
> > >
> > > !
> > > no ip access-list extended FWCUST_XXX_IN
> > > ip access-list extended FWCUST_XXX_IN
> > >  remark Inbound Firewall rules for XXX Services
> > >  permit tcp any host PROTECTEDSERVER established
> > >  permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389
> > >  permit tcp any host PROTECTEDSERVER eq 80
> > >  permit icmp any any
> > >  deny   ip any any
> > > !
> > > no ip access-list extended FWCUST_XXX_OUT
> > > ip access-list extended FWCUST_XXX_OUT
> > >  remark Outbound Firewall rules for XXX Services
> > > permit tcp any any established
> > >  permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
> > >  permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
> > >  permit icmp any any
> > >  permit tcp host PROTECTEDSERVER any eq domain
> > >  permit udp host PROTECTEDSERVER any eq domain
> > >  permit tcp host PROTECTEDSERVER any eq 80
> > >  permit tcp host PROTECTEDSERVER any eq 21
> > >  permit udp host PROTECTEDSERVER any eq 20
> > > ! deny   ip any any
> > > !
> > > !
> > > !
> > > interface GigabitEthernet0/2.402
> > >  ip access-group FWCUST_XXX_OUT in
> > >  ip access-group FWCUST_XXX_IN out
> > > !
> > > end
> > > !
> > >
> > > --
> > > Skeeve Stevens, RHCE
> > > skeeve at skeeve.org / www.skeeve.org
> > > Cell +61 (0)414 753 383 / skype://skeeve
> > >
> > > eintellego - skeeve at eintellego.net - www.eintellego.net
> > > --
> > > I'm a groove licked love child king of the verse
> > > Si vis pacem, para bellum
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> --
> Enno Rey
>
> ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
> PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1
>
> Handelsregister Heidelberg: HRB 7135
> Geschaeftsfuehrer: Roland Fiege, Enno Rey
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list