On Wed, Feb 08, 2012 at 08:25:18AM -0600, Matthew Reath wrote: > > If you apply the ACL you showed as an inbound ACL on your provider facing > > interfaces, you will be breaking any connections that exit your network > > with source ports from your list of bad ports. For example, you connect > > out from x.x.x.x:8888 to y.y.y.y:80, then the response packets coming back > > into your network will be from y.y.y.y:80 to x.x.x.x:8888 and will be > > dropped by your ACL.
> Good point. Adding in an established entry, although may open you up for > TCP/SYN sort of packets is a better trade off than affecting customer > traffic. I've always thought that reflexive access lists were quite elegant, and a much better method than established, albeit for edge networks. Do they not work in the SP space? -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
