Bill,
Comments imbedded:
>I've run into some packet filtering problems that are making me
"rethink"
>router ACL's. I'm hoping that someone can clarify a few areas that I
>formerly *thought* I understood... :)
>
>Does an ACL on a given port process packets in *both* directions, or
only
>those incoming to that particular port? If both directions, then what
do
>the "in/out" assignments to a given port really mean? "In" the port,
and
>"out" to the router CPU, or "in" the port, and "out" of another port,
or
>something entirely different?
>
>What exactly does the "in" and "out" relate to when assigning an ACL to
a
>given port?
First, we should really use the term "interface" when talking about
physical ports on the router, since that's the term commonly used. The
term "port" in security circles typically means a TCP or UDP port, so it
may be confusing to talk about "ports" on the router when we mean
"interface", so I'll use the term interface.
Now, to answer your question, an ACL applied to a particular router
interface only affects packets entering or exiting that interface.
(depending on whether the ACL is applied IN or OUT) It doesn't affect
any other interfaces.
The term IN and OUT are from the routers perspective. An ACL applied IN
looks at packets as they coming INto the router from the corresponding
network. The packets are INbound from the perspective of the routers
interface. The term OUT refers to packets as the leave a router
interface. The packets are OUTbound from the perspective of the routers
interface.
>For instance, if my port E0 is on the internet side, and my
>port E1 is my firewall interface, and I assign ACL-100 "in" on E0,
should I
>also assign ACL-100 to "in" on the E1 port as well??
Not normally. Your ACL looks at the packets from a particular
perspective, so it normally makes little sense to apply an ACL to two
different interfaces in the same direction. For example, you would
typically block all packing IN from the Internet claiming to be from
your internal network, i.e. anti-spoofing. Obviously, if you applied
the same ACL inbound on your inside interface (your E1), you would block
your own packets, which is not what you want.
The only thing that would possibly make sense in your case would be to
apply the same ACL OUT on interface E1, but if it's already applied in
to E0, this buys you nothing.
>Or should I assign
>ACL-100 "in" on port E0, and "out" on port E1, or something else...?
You could do this, but it buys you nothing. All packets that would be
blocked by the ACL outbound on E1 would be blocked inbound on E0.
>
>The reason I'm asking these 'goofy' questions is that I'm finding
certain
>(inbound) IP's that are somehow penetrating my router's ACL's, and I'm
not
>exactly sure how.
You can enable logging for selected ACL entries to see exactly what
packets are making it through your ACL and why.
>I see denial counts on the ACL logs in the router, yet the
>firewall logs verify that some of these (supposedly blocked) IP's are
making
>it to the firewall itself before being dropped. How?
>
Without more specific information, it's hard to give a complete answer.
It's possible that the IP packets are non-first fragments or that
someone is purposely using a hacking tool that crafts packets designed
to make it through non-stateful filtering routers. (i.e. set the ACK or
RST bit) Most cisco ACL's won't filter non-first IP fragments. You can
enable filtering of all fragments in certain IOS versions, but it's an
all or nothing process unless you use the Firewall Feature Set, and even
then you'll need version 12.0.
Without knowing more about exactly what packets your seeing hit your
firewall and what your ACL entries looks like, there's no way to give a
more specific answer.
HTH,
Kent Hundley
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
