In addition, you may want to check to see if your version of IOS is subject
to a specific bug. I know of two access list leakage notices that have
been published. Check this site for known security vulnerabilities.
http://www.cisco.com/warp/public/707/advisory.html
As mentioned in the other follow-ups, the problem could indeed be packet
fragments getting through. In version 12.0.3 of IOS, CSCdi84140 was
introduced to deal with packet fragments and access-lists, but has been
backed out due to problems documented by CSCdm44957. CSCdm44976 is the
Cisco Bug ID that should implement the correct solution, but has not yet
been resolved.
In/out assignments are as follows: In means any packet inbound to that
interface; out means any packet outbound from that interface. In a very
simplistic example, a packet going from host A to host B across Router C
will come in on one interface of router C, and leave on another interface
on router C. So for any given direction, we have two places to block
traffic from host A -> B on router C; at the inbound interface, or at the
outbound interface. This provides a lot of flexibility in ways to
implement lists.
I hope that helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
At 12:37 AM 10/3/1999 -0700, Bill Fox wrote:
>I've run into some packet filtering problems that are making me "rethink"
>router ACL's. I'm hoping that someone can clarify a few areas that I
>formerly *thought* I understood... :)
>
>Does an ACL on a given port process packets in *both* directions, or only
>those incoming to that particular port? If both directions, then what do
>the "in/out" assignments to a given port really mean? "In" the port, and
>"out" to the router CPU, or "in" the port, and "out" of another port, or
>something entirely different?
>
>What exactly does the "in" and "out" relate to when assigning an ACL to a
>given port? For instance, if my port E0 is on the internet side, and my
>port E1 is my firewall interface, and I assign ACL-100 "in" on E0, should I
>also assign ACL-100 to "in" on the E1 port as well?? Or should I assign
>ACL-100 "in" on port E0, and "out" on port E1, or something else...?
>
>The reason I'm asking these 'goofy' questions is that I'm finding certain
>(inbound) IP's that are somehow penetrating my router's ACL's, and I'm not
>exactly sure how. I see denial counts on the ACL logs in the router, yet the
>firewall logs verify that some of these (supposedly blocked) IP's are making
>it to the firewall itself before being dropped. How?
>
>Any comments appreciated!
>
>--Bill
>
>
>
>
>
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
