[f-nsp] UDP 'established' ACL?
Diederik Schouten
dschout at high5.net
Fri Apr 1 02:34:14 EDT 2011
Ok, but that is the diference between using a firewall and an ACL on a switch/router.
A firewall builds a session-cache, which you really do not want the switch/router to do, especially when a lot of traffic is going through them.
Strictly speaking, your TCP ACL does block non-established traffic, but will allow DDoS traffic when it spoofs "established" TCP traffic, which a firewall wouldn't.
I'm afraid all you can do is ACL based on source and destination for UDP, and create a similar "smaller" hole like you did for TCP.
For additional security a device like a firewall is required.
Greetings,
Diederik
On 1 Apr 2011, at 02:47 , David Miller wrote:
> On 3/31/11 5:06 PM, David Miller wrote:
>
>
> To those who kindly reminded me that UDP is stateless, thank you.
>
> I know UDP is stateless. Firewalls, however, keep track of UDP packets sent - for short periods - so that packets can be returned. DNS, voip, and other applications would break if the firewall didn't do this.
>
> That's how I'd like snmp to work here: snmp server on the secure network selects a random port, sends a UDP packet from that port to the monitored system on 161. Then the SI should know to allow the returned packet through. Instead, the packets get blocked going back to the random port.
>
> Sorry to not communicate this clearly the first time:)
>
> --- David
>
>
>
>> Serveriron running 10.2.01oTI4
>>
>> My setup is a more secure layer with utilities and databases, and a layer for the boxes that have to talk to the 'net.
>>
>> I currently have an ACL that lets a more-secure box establish TCP connections to the less secure layer:
>>
>> permit tcp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
>>
>>
>> I'm installing SNMP now, and would like to have the equivalent rule for UDP - IE, any host on the more secure layer able to send UDP packets and get the response back. I tried this:
>>
>> permit udp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
>>
>> and it doesn't raise any syntax errors, but it doesn't allow packets to return to the snmp box.
>>
>> What am I missing here?
>>
>> Thanks,
>>
>> --- David
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
More information about the foundry-nsp
mailing list