[c-nsp] ACL making me insane
Ziv Leyes
zivl at gilat.net
Wed Jun 4 07:25:42 EDT 2008
There's no way to use "established" for UDP though, so I can share what works for me, I call them "operational rules" because they suit everything I need to allow that is host initiated/related for its own functionality, of course you could add some more rules to permit other tcp/udp ports to reach the desired host/net.
ip access-list extended WHATEVER
remark allow any icmp answers to get in
permit icmp any {destination host/net} echo-reply
permit icmp any {destination host/net} traceroute
permit icmp any {destination host/net} time-exceeded
permit icmp any {destination host/net} unreachable
remark allow any dns answers to get in
permit udp any eq domain {destination host/net}
remark same for ntp
permit udp any eq ntp {destination host/net} eq ntp
remark this is for any other udp on high ports but a bit of too open
permit udp any any gt 1024
remark this is for any host initiated traffic
permit tcp any {destination host/net} established
remark if wanted deny all the rest with logs
deny ip any {destination host/net} log
Hope this helps,
Ziv
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Blayzor
Sent: Wednesday, June 04, 2008 12:46 PM
To: skeeve at skeeve.org
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ACL making me insane
On Jun 3, 2008, at 1:23 PM, Skeeve Stevens wrote:
> no ip access-list extended FWCUST_XXX_IN
> ip access-list extended FWCUST_XXX_IN
> remark Inbound Firewall rules for XXX Services
> permit tcp any host PROTECTEDSERVER established
> permit tcp host ALLOWEDREMOTE host PROTECTEDSERVER eq 3389
> permit tcp any host PROTECTEDSERVER eq 80
> permit icmp any any
> deny ip any any
> !
> no ip access-list extended FWCUST_XXX_OUT
> ip access-list extended FWCUST_XXX_OUT
> remark Outbound Firewall rules for XXX Services
> permit tcp any any established
> permit tcp PROTECTEDSERVER host SAFEMAIL eq smtp
> permit tcp host PROTECTEDSERVER host SAFEMAIL eq pop3
> permit icmp any any
> permit tcp host PROTECTEDSERVER any eq domain
> permit udp host PROTECTEDSERVER any eq domain
> permit tcp host PROTECTEDSERVER any eq 80
> permit tcp host PROTECTEDSERVER any eq 21
> permit udp host PROTECTEDSERVER any eq 20
The "deny ip any any" are redundant and can be removed unless you want
to log it all..
One point of note is that you're allowing UDP outbound for DNS, but
you're not allowing UDP back in. So I doubt you're able to resolve
anything with these ACL's in place unless somehow you're using TCP for
all your DNS queries. (possible but unlikely) The same goes for any
UDP type service. Since ACL's are not stateful, you have to
explicitly allow all packets to complete a bi-direction flow. (unless
you can cheat by using "established" of course).
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************
More information about the cisco-nsp
mailing list