[c-nsp] ACL making me insane
Enno Rey
erey at ernw.de
Tue Jun 3 15:08:22 EDT 2008
Hi,
On Tue, Jun 03, 2008 at 06:50:29PM +0000, Stephen Stuart wrote:
> > Hi,
> >
> > On Tue, Jun 03, 2008 at 01:37:30PM -0400, Luan Nguyen wrote:
> > > The problem is when someone contacted your protectedserver, you need to
> > > allow the counter flow of that.
> > > For example, you need to have: permit tcp host PROTECTEDSERVER eq 80 any gt
> > > 1024 so that the web counter flow will work (counter flow of this line:
> > > permit tcp any host PROTECTEDSERVER eq 80)
> >
> > this is not correct as there's the "tcp any any established" rule which should (and does) permit that.
>
> The "established" rule is present on the inbound ACL, but not the
> outbound ACL.
hmm... what's the fourth line here (see below)? do I miss/overlook sth here?
thanks,
Enno
> no ip access-list extended FWCUST_XXX_OUT
> ip access-list extended FWCUST_XXX_OUT
> remark Outbound Firewall rules for XXX Services
> permit tcp any any established
> permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
> permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
> permit icmp any any
> permit tcp host PROTECTEDSERVER any eq domain
> permit udp host PROTECTEDSERVER any eq domain
> permit tcp host PROTECTEDSERVER any eq 80
> permit tcp host PROTECTEDSERVER any eq 21
> permit udp host PROTECTEDSERVER any eq 20
> ! deny ip any any
Adding an "established" rule to the outbound ACL would
> fix things (but might allow more communication than Skeeve desires);
> Luan's correction to the outbound rules would fix things, as well.
>
> Stephen
--
Enno Rey
ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1
Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey
More information about the cisco-nsp
mailing list