[c-nsp] cisco ACL filter outbound only

Keith Medcalf kmedcalf at dessus.com
Wed Sep 16 06:38:44 EDT 2020 

Actually standard packet filtering is supported by all Cisco products,
and most others as well.  Packet filters do not do state tracking.  The
packet filters you want will only work for TCP.  You need to block
everything else.

outbound on the interface to "the rest of the universe":
permit tcp <source> any
deny ip <source> any
... whatever other shit you want to permit to go out ...

inbound on the interface from "the rest of the universe":
permit tcp any <source> extablished
deny ip any <source>
... whatever other shit you want to permit to go in ...

Cisco (and others) have worked this way for about 40 years.

-- 
Be decisive.  Make a decision, right or wrong.  The road of life is
paved with flat squirrels who could not make a decision.

>-----Original Message-----
>From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Emille
>Blanc
>Sent: Tuesday, 15 September, 2020 10:20
>To: Mike <mike+lists at yourtownonline.com>; cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] cisco ACL filter outbound only
>
>>     Again, the cli seems to indicate support for all the things
>> necessary, which includes the idea of 'established', which is why I
ask
>> if THIS platform does in fact do what the cli suggests:
>
>No, the ASR920 (Unless it's hiding in a recent IOS release), does not
do
>any kind of state tracking.  You'll be better served looking at the ISR
>or Firewall families for that.
>
>What you're seeing in the CLI is pretty commonplace these days - to be
>fair, not just with Cisco - where an un-supported feature is 'left in'
>the command line.
>
>If in doubt, try it. Worst case it won't work, and then you can bounce
>the config off TAC to get one of their "unsupported configuration"
canned
>responses. :]
>________________________________________
>From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Mike
><mike+lists at yourtownonline.com>
>Sent: Tuesday, September 15, 2020 8:52 AM
>To: cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] cisco ACL filter outbound only
>
>On 9/15/20 8:08 AM, Brian Turnbow wrote:
>>> It just seems to me that it is indeed possible using the above to
put
>it
>>> together. Is this all just non-working on this platform?
>>>
>> The difference is in connection state.
>> An ACL does not track it so you can do
>> Permit tcp any any established
>> Inbound or outbound on a port , but that will only check that the ip
>packet has  ack or rst set for the tcp session  .
>> I can still send you an inbound tcp packet with ack or rst  set even
if
>it did not originate from "inside" and pass your filter.
>> It will also not help in any way for udp etc
>> The ACL does not know that a first packet was sent out so it should
>await a response
>> This is why you need a firewall be it on the router or external.
>>
>Hi,
>
>    Again, the cli seems to indicate support for all the things
>necessary, which includes the idea of 'established', which is why I ask
>if THIS platform does in fact do what the cli suggests:
>
>rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
>  ack          Match on the ACK bit
>  dscp         Match packets with given dscp value
>  eq           Match only packets on a given port number
>  established  Match established connections
>  fin          Match on the FIN bit
>  fragments    Check non-initial fragments
>  gt           Match only packets with a greater port number
>  log          Log matches against this entry
>  log-input    Log matches against this entry, including input
interface
>  lt           Match only packets with a lower port number
>  match-all    Match if all specified flags are present
>  match-any    Match if any specified flag is present
>  neq          Match only packets not on a given port number
>  option       Match packets with given IP Options value
>  precedence   Match packets with given precedence value
>  psh          Match on the PSH bit
>  range        Match only packets in the range of port numbers
>  rst          Match on the RST bit
>  syn          Match on the SYN bit
>  time-range   Specify a time-range
>  tos          Match packets with given TOS value
>  ttl          Match packets with given TTL value
>  urg          Match on the URG bit
>  <cr>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list