[c-nsp] ACL making me insane
Robert Blayzor
rblayzor.bulk at inoc.net
Wed Jun 4 08:35:01 EDT 2008
On Jun 4, 2008, at 7:25 AM, Ziv Leyes wrote:
> There's no way to use "established" for UDP though, so I can share
> what works for me, I call them "operational rules" because they suit
> everything I need to allow that is host initiated/related for its
> own functionality, of course you could add some more rules to permit
> other tcp/udp ports to reach the desired host/net.
Of course not.. ACL's are very basic and are not stateful in any way.
So if you're trying to use it in that way, it's very difficult and you
end up with a lot of "loose" rules. Of course for DNS you could just
allow responses from the DNS server from UDP port 53 to any port >
1023, but it's loose. If you have a recursive DNS server inside of
that ACL, then you're going to have to allow from ALL IP's from port
UDP port 53.
Keep your ACL's basic and to the point, trying to make them overly
complicated to replace a stateful firewall kind of defeats the purpose
and ends up being more trouble than it's worth. (IMHO)
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
More information about the cisco-nsp
mailing list