RE: Re: Re: Re: Re: Re: Re: router access control list

["David Gillett" <gillettdavid () fhda edu>]

  If you want to allow those ports in, attach the access list to
ATM0 inbound -- that's where the packets from outside arrive, and
they will be filtered before the router spends effort trying to 
figure out where to forward them to.

  The return packets headed out ATM0 will have arbitrary destination
ports and addresses, and these permitted sources.  So if you try to
apply the same ACL in this direction, it will block all of your responses
to those inbound connections.  (ACLs are not stateful firewalls, and
they do not apply "common sense" to realize that you meant something
else.)  It's possible to write an ACL that only permits traffic that
*could* be responses, but it can't possibly be certain and so it will
have to allow almost anything -- so why bother.  If you really need to
be certain that only responses to these connections ever come out of 
your network, you need a real stateful firewall and not an ACL.

  If you wrote the ACLs in terms of NATted (internal) addresses of your
servers, then you could apply the ACL to E0 outbound (coming out of the
router into the LAN).  But this is a less optimal application, since
the router must NAT and route every incoming packet before discovering
whether to forward it or discard it.

Dave Gillett


> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of apaez1084 () gmail com
> Sent: Monday, November 06, 2006 10:33 AM
> To: security-basics () securityfocus com
> Subject: Re: Re: Re: Re: Re: Re: Re: router access control list
>
> I dont want nothing getting in. but i do have people connect 
> to thouse ports from other states and stuff. (remotely) I 
> only want thouse ports to be able to come in. and i want all 
> other ports on the list too. 
> My problem is where do i apply this cause i cant seem to get 
> the right interface. DO i put in in e0 or atm0 in or out. I 
> traid both with ACL111 and nothing happen and if nothing 
> happens everything gets blocked.
>
> --------------------------------------------------------------
> -------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
> The NSA has designated Norwich University a center of 
> Academic Excellence in Information Security. Our program 
> offers unparalleled Infosec management education and the case 
> study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this 
> esteemed degree, without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------