On a Cisco router "out" means packets being sent on that interface are
subject to the filter. "in" means packets received on
the interface are subject to the filter.
The filter only applies in the direction it is configured for ( out or in).
It is possible to filter in both directions by applying filters
to both interfaces. For example an "in" filter on the Internet serial port
connection and an "in" filter on the ethernet port. You can use the same
filter on both interfaces. I prefer to use two separate filters because it
gives me a little better granularity.
Cisco recommends the use of "out" filters because they process faster but
this allow certain attack packets to reach the router unfiltered (i.e., LAN
attack). I understand that the latest version of IOS has some additional
controls in this area but I haven't had the opportunity to check them out
yet.
> -----Original Message-----
> From: Bill Fox [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, October 03, 1999 12:38 AM
> To: Firewalls mailing list
> Subject: Router ACL's
>
> I've run into some packet filtering problems that are making me "rethink"
> router ACL's. I'm hoping that someone can clarify a few areas that I
> formerly *thought* I understood... :)
>
> Does an ACL on a given port process packets in *both* directions, or only
> those incoming to that particular port? If both directions, then what do
> the "in/out" assignments to a given port really mean? "In" the port, and
> "out" to the router CPU, or "in" the port, and "out" of another port, or
> something entirely different?
>
> What exactly does the "in" and "out" relate to when assigning an ACL to a
> given port? For instance, if my port E0 is on the internet side, and my
> port E1 is my firewall interface, and I assign ACL-100 "in" on E0, should
> I
> also assign ACL-100 to "in" on the E1 port as well?? Or should I assign
> ACL-100 "in" on port E0, and "out" on port E1, or something else...?
>
> The reason I'm asking these 'goofy' questions is that I'm finding certain
> (inbound) IP's that are somehow penetrating my router's ACL's, and I'm not
> exactly sure how. I see denial counts on the ACL logs in the router, yet
> the
> firewall logs verify that some of these (supposedly blocked) IP's are
> making
> it to the firewall itself before being dropped. How?
>
> Any comments appreciated!
>
> --Bill
>
>
>
>
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
