[c-nsp] cisco ACL filter outbound only
Brian Turnbow
b.turnbow at twt.it
Tue Sep 15 11:08:03 EDT 2020
>
> It just seems to me that it is indeed possible using the above to put it
> together. Is this all just non-working on this platform?
>
The difference is in connection state.
An ACL does not track it so you can do
Permit tcp any any established
Inbound or outbound on a port , but that will only check that the ip packet has ack or rst set for the tcp session .
I can still send you an inbound tcp packet with ack or rst set even if it did not originate from "inside" and pass your filter.
It will also not help in any way for udp etc
The ACL does not know that a first packet was sent out so it should await a response
This is why you need a firewall be it on the router or external.
Brian
More information about the cisco-nsp
mailing list