Home page logo

nanog logo nanog mailing list archives

Re: Firewalls in service provider environments
From: Henry Yen <henry () AegisInfoSys com>
Date: Wed, 8 Feb 2012 16:23:35 -0500

On Wed, Feb 08, 2012 at 08:25:18AM -0600, Matthew Reath wrote:
If you apply the ACL you showed as an inbound ACL on your provider facing
interfaces, you will be breaking any connections that exit your network
with source ports from your list of bad ports.  For example, you connect
out from x.x.x.x:8888 to y.y.y.y:80, then the response packets coming back
into your network will be from y.y.y.y:80 to x.x.x.x:8888 and will be
dropped by your ACL.

Good point. Adding in an established entry, although may open you up for
TCP/SYN sort of packets is a better trade off than affecting customer

I've always thought that reflexive access lists were quite elegant,
and a much better method than established, albeit for edge networks.

Do they not work in the SP space?

Henry Yen                                       Aegis Information Systems, Inc.
Senior Systems Programmer                       Hicksville, New York

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]