[c-nsp] ACL making me insane

Enno Rey erey at ernw.de
Tue Jun 3 15:08:22 EDT 2008


Hi,


On Tue, Jun 03, 2008 at 06:50:29PM +0000, Stephen Stuart wrote:
> > Hi,
> > 
> > On Tue, Jun 03, 2008 at 01:37:30PM -0400, Luan Nguyen wrote:
> > > The problem is when someone contacted your protectedserver, you need to
> > > allow the counter flow of that.
> > > For example, you need to have:  permit tcp host PROTECTEDSERVER eq 80 any gt
> > > 1024  so that the web counter flow will work (counter flow of this line:
> > > permit tcp any host PROTECTEDSERVER eq 80)
> > 
> > this is not correct as there's the "tcp any any established" rule which should (and does) permit that.
> 
> The "established" rule is present on the inbound ACL, but not the
> outbound ACL.

hmm... what's the fourth line here (see below)? do I miss/overlook sth here?

thanks,

Enno


> no ip access-list extended FWCUST_XXX_OUT
> ip access-list extended FWCUST_XXX_OUT
>  remark Outbound Firewall rules for XXX Services
> permit tcp any any established
>  permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
>  permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
>  permit icmp any any
>  permit tcp host PROTECTEDSERVER any eq domain
>  permit udp host PROTECTEDSERVER any eq domain
>  permit tcp host PROTECTEDSERVER any eq 80
>  permit tcp host PROTECTEDSERVER any eq 21
>  permit udp host PROTECTEDSERVER any eq 20
> ! deny   ip any any





 Adding an "established" rule to the outbound ACL would
> fix things (but might allow more communication than Skeeve desires);
> Luan's correction to the outbound rules would fix things, as well.
> 
> Stephen

-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey


More information about the cisco-nsp mailing list