Security Basics mailing list archives
RE: Re: Re: Re: Re: Re: Re: router access control list
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 7 Nov 2006 11:15:28 -0800
If you want to allow those ports in, attach the access list to ATM0 inbound -- that's where the packets from outside arrive, and they will be filtered before the router spends effort trying to figure out where to forward them to. The return packets headed out ATM0 will have arbitrary destination ports and addresses, and these permitted sources. So if you try to apply the same ACL in this direction, it will block all of your responses to those inbound connections. (ACLs are not stateful firewalls, and they do not apply "common sense" to realize that you meant something else.) It's possible to write an ACL that only permits traffic that *could* be responses, but it can't possibly be certain and so it will have to allow almost anything -- so why bother. If you really need to be certain that only responses to these connections ever come out of your network, you need a real stateful firewall and not an ACL. If you wrote the ACLs in terms of NATted (internal) addresses of your servers, then you could apply the ACL to E0 outbound (coming out of the router into the LAN). But this is a less optimal application, since the router must NAT and route every incoming packet before discovering whether to forward it or discard it. Dave Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of apaez1084 () gmail com Sent: Monday, November 06, 2006 10:33 AM To: security-basics () securityfocus com Subject: Re: Re: Re: Re: Re: Re: Re: router access control list I dont want nothing getting in. but i do have people connect to thouse ports from other states and stuff. (remotely) I only want thouse ports to be able to come in. and i want all other ports on the list too. My problem is where do i apply this cause i cant seem to get the right interface. DO i put in in e0 or atm0 in or out. I traid both with ACL111 and nothing happen and if nothing happens everything gets blocked. -------------------------------------------------------------- ------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Re: Re: router access control list apaez1084 (Nov 01)
- RE: Re: Re: router access control list Erick Jensen (Nov 03)
- <Possible follow-ups>
- Re: Re: Re: Re: router access control list apaez1084 (Nov 03)
- Re: Re: Re: Re: Re: router access control list apaez1084 (Nov 06)
- RE: Re: Re: Re: Re: router access control list David Gillett (Nov 07)
- RE: Re: Re: Re: router access control list Erick Jensen (Nov 06)
- Re: Re: Re: Re: Re: router access control list apaez1084 (Nov 06)
- RE: Re: Re: Re: Re: router access control list Dixon, Wayne (Nov 06)
- Re: Re: Re: Re: Re: Re: router access control list emptybeerkann (Nov 06)
- Re: Re: Re: Re: Re: Re: Re: router access control list apaez1084 (Nov 07)
- RE: Re: Re: Re: Re: Re: Re: router access control list David Gillett (Nov 07)
- RE: Re: Re: Re: Re: router access control list Erick Jensen (Nov 07)