[f-nsp] Problems with ACLs

Michael Renner michael.renner at geizhals.at
Fri Jul 1 16:43:22 EDT 2005 

Hi,

I've got a problem with ACLs on a foundry SI XL runnig 07.4.01T12.

Setup as follows:

---

interface e 3
  port-name Uplink
  ip access-group 20 in

interface e 5
  port-name www1 extern
  ip access-group 20 out

server real www1 1.1.1.1
  port http

server virtual www.foo.bar 1.2.1.1
  acl-id 20
  port http
  bind http www1 http

access-list 20 deny host 1.2.3.4 log
access-list 20 permit any

---

Connections to the virtual-server are filtered fine, but when (ab)users 
try to contact the real servers directly only the first syn packet gets 
dropped but subsequent packets seem to get forwarded fine.

tcp-dumps and foundry log as follows:

---

foundry:

Jul  1 21:56:20 foundry sollbruchstelle, list 20 denied tcp 
1.2.3.4(50913) (Ethernet 3 0007.4fa2.1800) -> 1.1.1.1(http), 1 packets


client:

21:56:20.279831 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0) 
win 5840 <mss 1460,sackOK,timestamp 19275632 0,nop,wscale 2>
21:56:23.278097 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0) 
win 5840 <mss 1460,sackOK,timestamp 19278632 0,nop,wscale 2>
21:56:23.278296 IP 1.1.1.1.80 > 1.2.3.4.50913: S 
3024095339:3024095339(0) ack 807137641 win 5792 <mss 
1460,sackOK,timestamp 3048126235 19278632,nop,wscale 5>
21:56:23.278337 IP 1.2.3.4.50913 > 1.1.1.1.80: . ack 1 win 1460 
<nop,nop,timestamp 19278632 3048126235>


www1:
21:56:23.265849 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0) 
win 5840 <mss 1460,sackOK,timestamp 19278632 0,nop,wscale 2>
21:56:23.265874 IP 1.1.1.1.80 > 1.2.3.4.50913: S 
3024095339:3024095339(0) ack 807137641 win 5792 <mss 
1460,sackOK,timestamp 3048126235 19278632,nop,wscale 5>
21:56:23.266099 IP 1.2.3.4.50913 > 1.1.1.1.80: . ack 1 win 1460 
<nop,nop,timestamp 19278632 3048126235>

---

Seems as if the connection is put in some sort of connection tracking 
table after the first syn packet and subsequent packets skip the 
access-list then.

ip strict-acl-mode [1] looks like it might fix this, but I'm a bit 
reluctant to enable it since I don't know if the foundry is able to bear 
the additional work-load and it shouldn't be necessary in the first place.

Is there something else I might've missed or should I just try & use 
strict-acl-mode?

[1] 
http://www.foundrynet.com/services/documentation/sixl/security.html#wp58963

best regards,
Michael Renner

More information about the foundry-nsp mailing list