[c-nsp] ACL making me insane
Fred Reimer
freimer at ctiusa.com
Wed Jun 4 09:47:03 EDT 2008
What platform is this on again? If you want to use a Cisco IOS router
as a firewall, why don't you use the firewall features and configure
CBAC?
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Blayzor
Sent: Wednesday, June 04, 2008 8:35 AM
To: Ziv Leyes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ACL making me insane
On Jun 4, 2008, at 7:25 AM, Ziv Leyes wrote:
> There's no way to use "established" for UDP though, so I can share
> what works for me, I call them "operational rules" because they suit
> everything I need to allow that is host initiated/related for its
> own functionality, of course you could add some more rules to permit
> other tcp/udp ports to reach the desired host/net.
Of course not.. ACL's are very basic and are not stateful in any way.
So if you're trying to use it in that way, it's very difficult and you
end up with a lot of "loose" rules. Of course for DNS you could just
allow responses from the DNS server from UDP port 53 to any port >
1023, but it's loose. If you have a recursive DNS server inside of
that ACL, then you're going to have to allow from ALL IP's from port
UDP port 53.
Keep your ACL's basic and to the point, trying to make them overly
complicated to replace a stateful firewall kind of defeats the purpose
and ends up being more trouble than it's worth. (IMHO)
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list