ooops. extablished is of course a type and should be established. Basically that means the ACK bit is set.
-- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision. >-----Original Message----- >From: Keith Medcalf <[email protected]> >Sent: Wednesday, 16 September, 2020 04:39 >To: '[email protected]' <[email protected]> >Subject: RE: [c-nsp] cisco ACL filter outbound only > > >Actually standard packet filtering is supported by all Cisco products, >and most others as well. Packet filters do not do state tracking. The >packet filters you want will only work for TCP. You need to block >everything else. > >outbound on the interface to "the rest of the universe": >permit tcp <source> any >deny ip <source> any >... whatever other shit you want to permit to go out ... > >inbound on the interface from "the rest of the universe": >permit tcp any <source> extablished >deny ip any <source> >... whatever other shit you want to permit to go in ... > >Cisco (and others) have worked this way for about 40 years. > >-- >Be decisive. Make a decision, right or wrong. The road of life is paved >with flat squirrels who could not make a decision. > >>-----Original Message----- >>From: cisco-nsp <[email protected]> On Behalf Of Emille >>Blanc >>Sent: Tuesday, 15 September, 2020 10:20 >>To: Mike <[email protected]>; [email protected] >>Subject: Re: [c-nsp] cisco ACL filter outbound only >> >>> Again, the cli seems to indicate support for all the things >>> necessary, which includes the idea of 'established', which is why I >ask >>> if THIS platform does in fact do what the cli suggests: >> >>No, the ASR920 (Unless it's hiding in a recent IOS release), does not do >>any kind of state tracking. You'll be better served looking at the ISR >>or Firewall families for that. >> >>What you're seeing in the CLI is pretty commonplace these days - to be >>fair, not just with Cisco - where an un-supported feature is 'left in' >>the command line. >> >>If in doubt, try it. Worst case it won't work, and then you can bounce >>the config off TAC to get one of their "unsupported configuration" >canned >>responses. :] >>________________________________________ >>From: cisco-nsp <[email protected]> on behalf of Mike >><[email protected]> >>Sent: Tuesday, September 15, 2020 8:52 AM >>To: [email protected] >>Subject: Re: [c-nsp] cisco ACL filter outbound only >> >>On 9/15/20 8:08 AM, Brian Turnbow wrote: >>>> It just seems to me that it is indeed possible using the above to put >>it >>>> together. Is this all just non-working on this platform? >>>> >>> The difference is in connection state. >>> An ACL does not track it so you can do >>> Permit tcp any any established >>> Inbound or outbound on a port , but that will only check that the ip >>packet has ack or rst set for the tcp session . >>> I can still send you an inbound tcp packet with ack or rst set even >if >>it did not originate from "inside" and pass your filter. >>> It will also not help in any way for udp etc >>> The ACL does not know that a first packet was sent out so it should >>await a response >>> This is why you need a firewall be it on the router or external. >>> >>Hi, >> >> Again, the cli seems to indicate support for all the things >>necessary, which includes the idea of 'established', which is why I ask >>if THIS platform does in fact do what the cli suggests: >> >>rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ? >> ack Match on the ACK bit >> dscp Match packets with given dscp value >> eq Match only packets on a given port number >> established Match established connections >> fin Match on the FIN bit >> fragments Check non-initial fragments >> gt Match only packets with a greater port number >> log Log matches against this entry >> log-input Log matches against this entry, including input interface >> lt Match only packets with a lower port number >> match-all Match if all specified flags are present >> match-any Match if any specified flag is present >> neq Match only packets not on a given port number >> option Match packets with given IP Options value >> precedence Match packets with given precedence value >> psh Match on the PSH bit >> range Match only packets in the range of port numbers >> rst Match on the RST bit >> syn Match on the SYN bit >> time-range Specify a time-range >> tos Match packets with given TOS value >> ttl Match packets with given TTL value >> urg Match on the URG bit >> <cr> >> >>_______________________________________________ >>cisco-nsp mailing list [email protected] >>https://puck.nether.net/mailman/listinfo/cisco-nsp >>archive at http://puck.nether.net/pipermail/cisco-nsp/ >>_______________________________________________ >>cisco-nsp mailing list [email protected] >>https://puck.nether.net/mailman/listinfo/cisco-nsp >>archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
