[149530] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Firewalls in service provider environments

daemon@ATHENA.MIT.EDU (William Herrin)
Tue Feb 7 17:11:51 2012

In-Reply-To: <27254847074d9b716c9e9dfc1b892661.squirrel@mail.mattreath.com>
From: William Herrin <bill@herrin.us>
Date: Tue, 7 Feb 2012 17:10:35 -0500
To: Matthew Reath <matt@mattreath.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

On Tue, Feb 7, 2012 at 4:52 PM, Matthew Reath <matt@mattreath.com> wrote:
> Here is the template we typically use (or a variant of it):
>
> <-- snippet -->
> access-list 102 deny =A0 ip 10.0.0.0 0.255.255.255 any
> access-list 102 deny =A0 ip 172.16.0.0 0.15.255.255 any
> access-list 102 deny =A0 ip 192.168.0.0 0.0.255.255 any
> access-list 102 deny =A0 ip 0.0.0.0 0.255.255.255 any
> access-list 102 deny =A0 ip 127.0.0.0 0.255.255.255 any
> access-list 102 deny =A0 ip 224.0.0.0 15.255.255.255 any
> access-list 102 deny =A0 ip host 255.255.255.255 any
> access-list 102 deny =A0 tcp any any eq 135
> access-list 102 deny =A0 udp any any eq 135
> access-list 102 deny =A0 udp any any eq netbios-ns
> access-list 102 deny =A0 tcp any any eq 139
> access-list 102 deny =A0 udp any any eq netbios-ss
> access-list 102 deny =A0 tcp any any eq 445
> access-list 102 deny =A0 tcp any any eq 593
> access-list 102 deny =A0 tcp any any eq 4444
> access-list 102 deny =A0 tcp any any eq 9996
> access-list 102 deny =A0 tcp any any eq 5554
> access-list 102 deny =A0 tcp any any eq 8888
> access-list 102 deny =A0 tcp any any eq 7778
> access-list 102 deny =A0 tcp any any eq 8594
> access-list 102 deny =A0 tcp any any eq 8563
> access-list 102 deny =A0 tcp any any eq 1434
> <-- end snippet -->

One of my customers has a list like that. They can't understand why
one in every hundred or so TCP connections on port 443 fails.

Hint: you forgot "access-list 102 permit tcp any any established"
after "access-list 102 deny   ip host 255.255.255.255 any". The
destination port in one direction is the source port in the other and
many of those are dynamic source ports picked by Windows. Unless you
restrict that filter to just packets attempting to initiate a new
connection, you're shooting yourself in the foot.

Regards,
Bill Herrin




--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
home help back first fref pref prev next nref lref last post