Re: RE: Example firewall script

["J.A. Terranson" <measl () mfn org>]

On Sat, 27 Aug 2005, ericscher () mac com wrote:

> REPLY:
> -------
>
> Actually, that's not true.
> I would agree that as a general rule of thumb
> you should have a deny statement at the end
> of every ACL. In fact, Cisco places an implicit
> DENY ANY ANY at the end of their ACL's
> automatically.

As does Juniper, as does.....


> However, Access Control Lists are not firewalls.
> Yes, we use them as firewalls, but that's not what
> they are.
>
> ACL's ARE TRAFFIC SHAPING DEVICES.

Uh... No.  Traffic shaping may make use of ACLs, but ACL != Shaping.


> As traffic shaping devices, they can be used for
> security, but they are also used for management
> purposes. For instance; many Autonomous Systems
> are multi-homed.

Bzzzt.  *All* "Autonomous Systems" are multihomed.  Thats the definition
of AS.

> There are decisions to be made
> about how traffic will flow in and out of the AS.
> You also have to decide if you wish to be a
> transit AS or not.
>
> ACLs are the tool that you use to control your
> traffic.

Again, wrong.  ACLS are involved, but what you are talking about are
called ROUTING DECISIONS, and ACLS != Routing Decisions.


> While an ACL being used as a security device
> should have a deny statement at the end, proper
> construction of the ACL is more about following
> the proper construction rules.
>
> This is actually a huge subject, far too big
> for an individual e-mail to a list.

Finally, a correct statement.  But, while it was correct, it was also
incomplete:

"This is actually a huge subject, far too big for an individual e-mail to
a list, and doubly so when I have yet to learn enough about it to expound
upon the topic rationally."

> But there are some basic rules to keep in mind:
>
> ACL's analyze traffic from top to bottom, so
> keep your most specific entries at the top,

This is true for *most* ACL implementations, but NOT for all.  Again, you
are trying to paint the entire world with your only available [Cisco]
brush, and it is making you look like a self-important fool.


> This subject REALLY calls for a book, not
> an e-mail response.

I can probably find a few good ones to recommend - if you will promise to
read them prior to spewing more of this. ;-)

> I've said very little in this post

And still managed to screw up most of what you said.

> and look at all the room it took up.

That's expected: hot gas expands.

-- 
Yours,

J.A. Terranson
sysadmin () mfn org
0xBD4A95BF


I like the idea of belief in drug-prohibition as a religion in that it is
a strongly held belief based on grossly insufficient evidence and
bolstered by faith born of intuitions flowing from the very beliefs they
are intended to support.

don zweig, M.D.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/