On 3 Oct 99, at 0:37, Bill Fox wrote:
> I've run into some packet filtering problems that are making me
> "rethink" router ACL's. I'm hoping that someone can clarify a few
> areas that I formerly *thought* I understood... :)
>
> Does an ACL on a given port process packets in *both* directions,
> or only those incoming to that particular port? If both
> directions, then what do the "in/out" assignments to a given port
> really mean? "In" the port, and "out" to the router CPU, or "in"
> the port, and "out" of another port, or something entirely
> different?
[Cisco offers two different kinds of ACLs. The simple kind look
only at the destination address; the more complex kind can also look
at source address and (if TCP/UDP) port number.]
> What exactly does the "in" and "out" relate to when assigning an
> ACL to a given port? For instance, if my port E0 is on the
> internet side, and my port E1 is my firewall interface, and I
> assign ACL-100 "in" on E0, should I also assign ACL-100 to "in" on
> the E1 port as well?? Or should I assign ACL-100 "in" on port E0,
> and "out" on port E1, or something else...?
An ACL is assigned to an *interface* (this is probably what you
mean by "port"); while I think you *can* assign it to the outbound
direction, you generally shouldn't. You'll get best performance by
using ACLs to discard inbound packets *before* routing decisions
about them get made -- deciding how to route a packet you're going to
deny is a total waste of router bandwidth.
> The reason I'm asking these 'goofy' questions is that I'm finding
> certain (inbound) IP's that are somehow penetrating my router's
> ACL's, and I'm not exactly sure how. I see denial counts on the ACL
> logs in the router, yet the firewall logs verify that some of these
> (supposedly blocked) IP's are making it to the firewall itself
> before being dropped. How?
>
> Any comments appreciated!
I've seen a couple of places where it is suggested that getting
source and destination backwards (on the more complicated sort of
ACL) is a pretty common occurrence. Any chance that could have
happened?
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
