mailing list archives
Re: Firewalls in service provider environments
From: Henry Yen <henry () AegisInfoSys com>
Date: Wed, 8 Feb 2012 16:23:35 -0500
On Wed, Feb 08, 2012 at 08:25:18AM -0600, Matthew Reath wrote:
If you apply the ACL you showed as an inbound ACL on your provider facing
interfaces, you will be breaking any connections that exit your network
with source ports from your list of bad ports. For example, you connect
out from x.x.x.x:8888 to y.y.y.y:80, then the response packets coming back
into your network will be from y.y.y.y:80 to x.x.x.x:8888 and will be
dropped by your ACL.
Good point. Adding in an established entry, although may open you up for
TCP/SYN sort of packets is a better trade off than affecting customer
I've always thought that reflexive access lists were quite elegant,
and a much better method than established, albeit for edge networks.
Do they not work in the SP space?
Henry Yen Aegis Information Systems, Inc.
Senior Systems Programmer Hicksville, New York
Re: Firewalls in service provider environments Christopher Morrow (Feb 07)
Re: Firewalls in service provider environments Justin M. Streiner (Feb 07)
Re: Firewalls in service provider environments William Herrin (Feb 07)
Re: Firewalls in service provider environments Jimmy Hess (Feb 08)