[149533] in North American Network Operators' Group
Re: Firewalls in service provider environments
daemon@ATHENA.MIT.EDU (Matthew Reath)
Tue Feb 7 17:36:34 2012
In-Reply-To: <CAP-guGVcXmY0hGYqrgFvEStxCqBxN=A3c84U7OTuBcpZ_GxzUQ@mail.gmail.com>
Date: Tue, 7 Feb 2012 16:35:44 -0600
From: "Matthew Reath" <matt@mattreath.com>
To: "William Herrin" <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> On Tue, Feb 7, 2012 at 4:52 PM, Matthew Reath <matt@mattreath.com> wrote:
>> Here is the template we typically use (or a variant of it):
>>
>> <-- snippet -->
>> access-list 102 deny ip 10.0.0.0 0.255.255.255 any
>> access-list 102 deny ip 172.16.0.0 0.15.255.255 any
>> access-list 102 deny ip 192.168.0.0 0.0.255.255 any
>> access-list 102 deny ip 0.0.0.0 0.255.255.255 any
>> access-list 102 deny ip 127.0.0.0 0.255.255.255 any
>> access-list 102 deny ip 224.0.0.0 15.255.255.255 any
>> access-list 102 deny ip host 255.255.255.255 any
>> access-list 102 deny tcp any any eq 135
>> access-list 102 deny udp any any eq 135
>> access-list 102 deny udp any any eq netbios-ns
>> access-list 102 deny tcp any any eq 139
>> access-list 102 deny udp any any eq netbios-ss
>> access-list 102 deny tcp any any eq 445
>> access-list 102 deny tcp any any eq 593
>> access-list 102 deny tcp any any eq 4444
>> access-list 102 deny tcp any any eq 9996
>> access-list 102 deny tcp any any eq 5554
>> access-list 102 deny tcp any any eq 8888
>> access-list 102 deny tcp any any eq 7778
>> access-list 102 deny tcp any any eq 8594
>> access-list 102 deny tcp any any eq 8563
>> access-list 102 deny tcp any any eq 1434
>> <-- end snippet -->
>
> One of my customers has a list like that. They can't understand why
> one in every hundred or so TCP connections on port 443 fails.
>
> Hint: you forgot "access-list 102 permit tcp any any established"
> after "access-list 102 deny ip host 255.255.255.255 any". The
> destination port in one direction is the source port in the other and
> many of those are dynamic source ports picked by Windows. Unless you
> restrict that filter to just packets attempting to initiate a new
> connection, you're shooting yourself in the foot.
>
> Regards,
> Bill Herrin
>
>
>
>
> --
> William D. Herrin ................ herrin@dirtside.com bill@herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>
Yeah agreed. The only place this gets applied is inbound on the interface
facing an upstream provider. ACLs ingress from end customers are much
different. In theory this could cause issues with externally initiated
traffic that use lets say 8888 as its random source port.
-Matt
