Full Disclosure mailing list archives
Re: RE: Example firewall script
From: "J.A. Terranson" <measl () mfn org>
Date: Sat, 27 Aug 2005 11:53:14 -0500 (CDT)
On Sat, 27 Aug 2005, ericscher () mac com wrote:
REPLY: ------- Actually, that's not true. I would agree that as a general rule of thumb you should have a deny statement at the end of every ACL. In fact, Cisco places an implicit DENY ANY ANY at the end of their ACL's automatically.
As does Juniper, as does.....
However, Access Control Lists are not firewalls. Yes, we use them as firewalls, but that's not what they are. ACL's ARE TRAFFIC SHAPING DEVICES.
Uh... No. Traffic shaping may make use of ACLs, but ACL != Shaping.
As traffic shaping devices, they can be used for security, but they are also used for management purposes. For instance; many Autonomous Systems are multi-homed.
Bzzzt. *All* "Autonomous Systems" are multihomed. Thats the definition of AS.
There are decisions to be made about how traffic will flow in and out of the AS. You also have to decide if you wish to be a transit AS or not. ACLs are the tool that you use to control your traffic.
Again, wrong. ACLS are involved, but what you are talking about are called ROUTING DECISIONS, and ACLS != Routing Decisions.
While an ACL being used as a security device should have a deny statement at the end, proper construction of the ACL is more about following the proper construction rules. This is actually a huge subject, far too big for an individual e-mail to a list.
Finally, a correct statement. But, while it was correct, it was also incomplete: "This is actually a huge subject, far too big for an individual e-mail to a list, and doubly so when I have yet to learn enough about it to expound upon the topic rationally."
But there are some basic rules to keep in mind: ACL's analyze traffic from top to bottom, so keep your most specific entries at the top,
This is true for *most* ACL implementations, but NOT for all. Again, you are trying to paint the entire world with your only available [Cisco] brush, and it is making you look like a self-important fool.
This subject REALLY calls for a book, not an e-mail response.
I can probably find a few good ones to recommend - if you will promise to read them prior to spewing more of this. ;-)
I've said very little in this post
And still managed to screw up most of what you said.
and look at all the room it took up.
That's expected: hot gas expands. -- Yours, J.A. Terranson sysadmin () mfn org 0xBD4A95BF I like the idea of belief in drug-prohibition as a religion in that it is a strongly held belief based on grossly insufficient evidence and bolstered by faith born of intuitions flowing from the very beliefs they are intended to support. don zweig, M.D. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Example firewall script Bernardo MartÃn (Aug 26)
- Re: Example firewall script James Lay (Aug 26)
- RE: [inbox] Example firewall script Exibar (Aug 27)
- <Possible follow-ups>
- RE: Example firewall script ericscher () mac com (Aug 26)
- RE: Example firewall script ericscher () mac com (Aug 27)
- Re: RE: Example firewall script J.A. Terranson (Aug 27)
- Re: RE: Example firewall script James Tucker (Aug 27)
- RE: RE: Example firewall script Jan Nielsen (Aug 27)
- RE: [inbox] RE: RE: Example firewall script Exibar (Aug 28)
- Re: RE: Example firewall script mayhem (Aug 27)
- RE: [inbox] RE: Example firewall script Exibar (Aug 28)
- Re: RE: Example firewall script Rachael Treu Gomes (Aug 30)
- Re: RE: Example firewall script fd (Aug 30)
- Re: RE: Example firewall script J.A. Terranson (Aug 27)
- Re: RE: Example firewall script J.A. Terranson (Aug 27)
- Re: RE: Example firewall script Jason Coombs (Aug 27)
- Re: RE: Example firewall script J.A. Terranson (Aug 27)
(Thread continues...)