[c-nsp] cisco ACL filter outbound only

Mike mike+lists at yourtownonline.com
Tue Sep 15 11:52:34 EDT 2020 

On 9/15/20 8:08 AM, Brian Turnbow wrote:
>> It just seems to me that it is indeed possible using the above to put it
>> together. Is this all just non-working on this platform?
>>
> The difference is in connection state.
> An ACL does not track it so you can do
> Permit tcp any any established 
> Inbound or outbound on a port , but that will only check that the ip packet has  ack or rst set for the tcp session  .
> I can still send you an inbound tcp packet with ack or rst  set even if it did not originate from "inside" and pass your filter.
> It will also not help in any way for udp etc
> The ACL does not know that a first packet was sent out so it should await a response 
> This is why you need a firewall be it on the router or external.
>
Hi,

    Again, the cli seems to indicate support for all the things
necessary, which includes the idea of 'established', which is why I ask
if THIS platform does in fact do what the cli suggests:

rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  match-all    Match if all specified flags are present
  match-any    Match if any specified flag is present
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  ttl          Match packets with given TTL value
  urg          Match on the URG bit
  <cr>

More information about the cisco-nsp mailing list