[149587] in North American Network Operators' Group
Re: Firewalls in service provider environments
daemon@ATHENA.MIT.EDU (Henry Yen)
Wed Feb 8 16:24:27 2012
Date: Wed, 8 Feb 2012 16:23:35 -0500
From: Henry Yen <henry@AegisInfoSys.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Mail-Followup-To: Henry Yen <henry@AegisInfoSys.com>,
"nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <62055779754543ae83e3c0fe4cdad677.squirrel@mail.mattreath.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Feb 08, 2012 at 08:25:18AM -0600, Matthew Reath wrote:
> > If you apply the ACL you showed as an inbound ACL on your provider facing
> > interfaces, you will be breaking any connections that exit your network
> > with source ports from your list of bad ports. For example, you connect
> > out from x.x.x.x:8888 to y.y.y.y:80, then the response packets coming back
> > into your network will be from y.y.y.y:80 to x.x.x.x:8888 and will be
> > dropped by your ACL.
> Good point. Adding in an established entry, although may open you up for
> TCP/SYN sort of packets is a better trade off than affecting customer
> traffic.
I've always thought that reflexive access lists were quite elegant,
and a much better method than established, albeit for edge networks.
Do they not work in the SP space?
--
Henry Yen Aegis Information Systems, Inc.
Senior Systems Programmer Hicksville, New York
