nanog mailing list archives
Re: Firewalls in service provider environments
From: William Herrin <bill () herrin us>
Date: Tue, 7 Feb 2012 17:10:35 -0500
On Tue, Feb 7, 2012 at 4:52 PM, Matthew Reath <matt () mattreath com> wrote:
Here is the template we typically use (or a variant of it): <-- snippet --> access-list 102 deny ip 10.0.0.0 0.255.255.255 any access-list 102 deny ip 172.16.0.0 0.15.255.255 any access-list 102 deny ip 192.168.0.0 0.0.255.255 any access-list 102 deny ip 0.0.0.0 0.255.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip 224.0.0.0 15.255.255.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny tcp any any eq 135 access-list 102 deny udp any any eq 135 access-list 102 deny udp any any eq netbios-ns access-list 102 deny tcp any any eq 139 access-list 102 deny udp any any eq netbios-ss access-list 102 deny tcp any any eq 445 access-list 102 deny tcp any any eq 593 access-list 102 deny tcp any any eq 4444 access-list 102 deny tcp any any eq 9996 access-list 102 deny tcp any any eq 5554 access-list 102 deny tcp any any eq 8888 access-list 102 deny tcp any any eq 7778 access-list 102 deny tcp any any eq 8594 access-list 102 deny tcp any any eq 8563 access-list 102 deny tcp any any eq 1434 <-- end snippet -->
One of my customers has a list like that. They can't understand why one in every hundred or so TCP connections on port 443 fails. Hint: you forgot "access-list 102 permit tcp any any established" after "access-list 102 deny ip host 255.255.255.255 any". The destination port in one direction is the source port in the other and many of those are dynamic source ports picked by Windows. Unless you restrict that filter to just packets attempting to initiate a new connection, you're shooting yourself in the foot. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Firewalls in service provider environments Matthew Reath (Feb 07)
- RE: Firewalls in service provider environments Leigh Porter (Feb 07)
- RE: Firewalls in service provider environments Matthew Reath (Feb 07)
- Re: Firewalls in service provider environments William Herrin (Feb 07)
- Re: Firewalls in service provider environments Matthew Reath (Feb 07)
- Re: Firewalls in service provider environments Matt Buford (Feb 07)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Christopher Morrow (Feb 08)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Henry Yen (Feb 08)
- Re: Firewalls in service provider environments David Walker (Feb 09)
- RE: Firewalls in service provider environments Matthew Reath (Feb 07)
- RE: Firewalls in service provider environments Leigh Porter (Feb 07)
- RE: Firewalls in service provider environments George Bonser (Feb 07)
- Re: Firewalls in service provider environments Jared Mauch (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)