nanog mailing list archives
Re: Firewalls in service provider environments
From: Henry Yen <henry () AegisInfoSys com>
Date: Wed, 8 Feb 2012 16:23:35 -0500
On Wed, Feb 08, 2012 at 08:25:18AM -0600, Matthew Reath wrote:
If you apply the ACL you showed as an inbound ACL on your provider facing interfaces, you will be breaking any connections that exit your network with source ports from your list of bad ports. For example, you connect out from x.x.x.x:8888 to y.y.y.y:80, then the response packets coming back into your network will be from y.y.y.y:80 to x.x.x.x:8888 and will be dropped by your ACL.
Good point. Adding in an established entry, although may open you up for TCP/SYN sort of packets is a better trade off than affecting customer traffic.
I've always thought that reflexive access lists were quite elegant, and a much better method than established, albeit for edge networks. Do they not work in the SP space? -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Current thread:
- Firewalls in service provider environments Matthew Reath (Feb 07)
- RE: Firewalls in service provider environments Leigh Porter (Feb 07)
- RE: Firewalls in service provider environments Matthew Reath (Feb 07)
- Re: Firewalls in service provider environments William Herrin (Feb 07)
- Re: Firewalls in service provider environments Matthew Reath (Feb 07)
- Re: Firewalls in service provider environments Matt Buford (Feb 07)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Christopher Morrow (Feb 08)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Henry Yen (Feb 08)
- Re: Firewalls in service provider environments David Walker (Feb 09)
- RE: Firewalls in service provider environments Matthew Reath (Feb 07)
- RE: Firewalls in service provider environments Leigh Porter (Feb 07)
- RE: Firewalls in service provider environments George Bonser (Feb 07)
- Re: Firewalls in service provider environments Jared Mauch (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)
- Re: Firewalls in service provider environments Steve Bertrand (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)