[c-nsp] ACL making me insane
Robert Blayzor
rblayzor.bulk at inoc.net
Wed Jun 4 05:46:18 EDT 2008
On Jun 3, 2008, at 1:23 PM, Skeeve Stevens wrote:
> no ip access-list extended FWCUST_XXX_IN
> ip access-list extended FWCUST_XXX_IN
> remark Inbound Firewall rules for XXX Services
> permit tcp any host PROTECTEDSERVER established
> permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389
> permit tcp any host PROTECTEDSERVER eq 80
> permit icmp any any
> deny ip any any
> !
> no ip access-list extended FWCUST_XXX_OUT
> ip access-list extended FWCUST_XXX_OUT
> remark Outbound Firewall rules for XXX Services
> permit tcp any any established
> permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
> permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
> permit icmp any any
> permit tcp host PROTECTEDSERVER any eq domain
> permit udp host PROTECTEDSERVER any eq domain
> permit tcp host PROTECTEDSERVER any eq 80
> permit tcp host PROTECTEDSERVER any eq 21
> permit udp host PROTECTEDSERVER any eq 20
The "deny ip any any" are redundant and can be removed unless you want
to log it all..
One point of note is that you're allowing UDP outbound for DNS, but
you're not allowing UDP back in. So I doubt you're able to resolve
anything with these ACL's in place unless somehow you're using TCP for
all your DNS queries. (possible but unlikely) The same goes for any
UDP type service. Since ACL's are not stateful, you have to
explicitly allow all packets to complete a bi-direction flow. (unless
you can cheat by using "established" of course).
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
More information about the cisco-nsp
mailing list