[c-nsp] cisco ACL filter outbound only

Keith Medcalf kmedcalf at dessus.com
Wed Sep 16 06:41:25 EDT 2020 

ooops.  extablished is of course a type and should be established.
Basically that means the ACK bit is set.


-- 
Be decisive.  Make a decision, right or wrong.  The road of life is
paved with flat squirrels who could not make a decision.

>-----Original Message-----
>From: Keith Medcalf <kmedcalf at dessus.com>
>Sent: Wednesday, 16 September, 2020 04:39
>To: 'cisco-nsp at puck.nether.net' <cisco-nsp at puck.nether.net>
>Subject: RE: [c-nsp] cisco ACL filter outbound only
>
>
>Actually standard packet filtering is supported by all Cisco products,
>and most others as well.  Packet filters do not do state tracking.  The
>packet filters you want will only work for TCP.  You need to block
>everything else.
>
>outbound on the interface to "the rest of the universe":
>permit tcp <source> any
>deny ip <source> any
>... whatever other shit you want to permit to go out ...
>
>inbound on the interface from "the rest of the universe":
>permit tcp any <source> extablished
>deny ip any <source>
>... whatever other shit you want to permit to go in ...
>
>Cisco (and others) have worked this way for about 40 years.
>
>--
>Be decisive.  Make a decision, right or wrong.  The road of life is
paved
>with flat squirrels who could not make a decision.
>
>>-----Original Message-----
>>From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of
Emille
>>Blanc
>>Sent: Tuesday, 15 September, 2020 10:20
>>To: Mike <mike+lists at yourtownonline.com>; cisco-nsp at puck.nether.net
>>Subject: Re: [c-nsp] cisco ACL filter outbound only
>>
>>>     Again, the cli seems to indicate support for all the things
>>> necessary, which includes the idea of 'established', which is why I
>ask
>>> if THIS platform does in fact do what the cli suggests:
>>
>>No, the ASR920 (Unless it's hiding in a recent IOS release), does not
do
>>any kind of state tracking.  You'll be better served looking at the
ISR
>>or Firewall families for that.
>>
>>What you're seeing in the CLI is pretty commonplace these days - to be
>>fair, not just with Cisco - where an un-supported feature is 'left in'
>>the command line.
>>
>>If in doubt, try it. Worst case it won't work, and then you can bounce
>>the config off TAC to get one of their "unsupported configuration"
>canned
>>responses. :]
>>________________________________________
>>From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Mike
>><mike+lists at yourtownonline.com>
>>Sent: Tuesday, September 15, 2020 8:52 AM
>>To: cisco-nsp at puck.nether.net
>>Subject: Re: [c-nsp] cisco ACL filter outbound only
>>
>>On 9/15/20 8:08 AM, Brian Turnbow wrote:
>>>> It just seems to me that it is indeed possible using the above to
put
>>it
>>>> together. Is this all just non-working on this platform?
>>>>
>>> The difference is in connection state.
>>> An ACL does not track it so you can do
>>> Permit tcp any any established
>>> Inbound or outbound on a port , but that will only check that the ip
>>packet has  ack or rst set for the tcp session  .
>>> I can still send you an inbound tcp packet with ack or rst  set even
>if
>>it did not originate from "inside" and pass your filter.
>>> It will also not help in any way for udp etc
>>> The ACL does not know that a first packet was sent out so it should
>>await a response
>>> This is why you need a firewall be it on the router or external.
>>>
>>Hi,
>>
>>    Again, the cli seems to indicate support for all the things
>>necessary, which includes the idea of 'established', which is why I
ask
>>if THIS platform does in fact do what the cli suggests:
>>
>>rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
>>  ack          Match on the ACK bit
>>  dscp         Match packets with given dscp value
>>  eq           Match only packets on a given port number
>>  established  Match established connections
>>  fin          Match on the FIN bit
>>  fragments    Check non-initial fragments
>>  gt           Match only packets with a greater port number
>>  log          Log matches against this entry
>>  log-input    Log matches against this entry, including input
interface
>>  lt           Match only packets with a lower port number
>>  match-all    Match if all specified flags are present
>>  match-any    Match if any specified flag is present
>>  neq          Match only packets not on a given port number
>>  option       Match packets with given IP Options value
>>  precedence   Match packets with given precedence value
>>  psh          Match on the PSH bit
>>  range        Match only packets in the range of port numbers
>>  rst          Match on the RST bit
>>  syn          Match on the SYN bit
>>  time-range   Specify a time-range
>>  tos          Match packets with given TOS value
>>  ttl          Match packets with given TTL value
>>  urg          Match on the URG bit
>>  <cr>
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list