----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 12, 2001 2:08 PM Subject: Firewalls digest, Vol 1 #258 - 4 msgs > Send Firewalls mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnac.net/mailman/listinfo/firewalls > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Firewalls digest..." > > > Today's Topics: > > 1. Re: about UDP (Ken Milder) > 2. RE: AOL probe - "just" Code Red (william.wells) > 3. Good Mail List for Cisco Router Config? (Harry Whitehouse) > 4. RE: Reflexive access lists (Scheidel, Greg (Contractor)) > > --__--__-- > > Message: 1 > Date: Wed, 12 Sep 2001 13:34:03 -0600 > To: liuhy <[EMAIL PROTECTED]> > From: Ken Milder <[EMAIL PROTECTED]> > Subject: Re: about UDP > Cc: [EMAIL PROTECTED] > > > --=====================_17467857==_.ALT > Content-Type: text/plain; charset="us-ascii"; format=flowed > > I do not know all the details, but have you thought about using TCP sliding > windows to get your desired performance improvement? To my knowledge, that > is the more standard approach. > > -Ken > > At 9/11/2001 08:53 AM, liuhy wrote: > >Hello everyone, > > > >I am on the subject that designed a communication protocol between > >firewall and a external server. At the beginning I create a reliable > >connection between them by using TCP, but in order to increase its > >performance I want to use UDP, can I complete this job? > > > >Any help will be grateful. > > > >liuhy > > > >2001.9.11 > > ********************************************************************* > Kenneth H. Milder > Los Alamos National Laboratory > Computing, Communications & Networking Division (CCN) > Network Engineering Group(CCN-5) > Network Support Team (NST)/X Division Computing Services Team (XCS) > MS-F645 > Los Alamos, New Mexico 87545-0010 > > Office: (505)667-2552 > Fax: (505)665-3389 > E-mail: [EMAIL PROTECTED] > ********************************************************************* > --=====================_17467857==_.ALT > Content-Type: text/html; charset="us-ascii" > > <html> > I do not know all the details, but have you thought about using TCP > sliding windows to get your desired performance improvement? To my > knowledge, that is the more standard approach. <br> > <br> > -Ken<br> > <br> > At 9/11/2001 08:53 AM, liuhy wrote:<br> > <blockquote type=cite class=cite cite><font face="Times New Roman, Times">Hello > everyone,</font><br> > <br> > <font face="Times New Roman, Times">I am on the subject that designed a > communication protocol between firewall and a external server. At the > beginning I create a reliable connection between them by using TCP, but > in order to increase its performance I want to use UDP, can I complete > this job?</font><br> > <br> > <font face="Times New Roman, Times">Any help will be > grateful.</font><br> > <br> > <font face="Times New Roman, Times">liuhy</font><br> > <br> > <font face="Times New Roman, Times">2001.9.11</font></blockquote> > <x-sigsep><p></x-sigsep> > <font face="Arial Unicode MS, Helvetica" size=4>********************************************************************* <br> > Kenneth H. Milder<br> > Los Alamos National Laboratory<br> > Computing, Communications & Networking Division (CCN)<br> > Network Engineering Group(CCN-5)<br> > Network Support Team (NST)/X Division Computing Services Team (XCS)<br> > MS-F645<br> > Los Alamos, New Mexico 87545-0010<br> > <br> > Office: (505)667-2552<br> > Fax:<x-tab> </x-tab> > (505)665-3389<br> > E-mail: [EMAIL PROTECTED]<br> > *********************************************************************</font> </html> > > --=====================_17467857==_.ALT-- > > > --__--__-- > > Message: 2 > From: "william.wells" <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: AOL probe - "just" Code Red > Date: Wed, 12 Sep 2001 14:45:43 -0500 > > AOL is configured to use a LAN(TCP/IP) connection which means its connecting > on port 5190 through our firewall and then setting up a virtual network over > that. When I get hit on port 80, I do a traceroute back to the port reported > by my intrusion detection software on my PC. That traceroute returned via > their virtual network to named system (server?) in their DNS space. > > Our firewall is configured to block inbound port 80 so, up until yesterday, > I have literally 0 attempts of connections to port 80 over the past couple > of years. Our firewall is constantly scanned and blocks things accordingly. > > Hence, > If one of their servers is attempting to access my PC via port 80 and send > me a CodeRed URL, then there is something wrong with their servers (my > opinion). > > If one of their customers can attempt to connect to port 80 on my PC through > AOL's virtual network connection which AOL establishes, then any company or > person which allows AOL's virtual adapter to run is opening up a hole around > any network security which they might have; only software resident on the PC > might protect them. The implication, if this is true (and the same mechanism > is used for dial-up), is that AOL shouldn't be allowed to run on any system > unless that system has personal firewall software. AOL, by itself, should be > considered unsecure. If that were true and became public, I'd think AOL > would rapidly be out of business. > > I've been approaching this assuming that my connection to them was solely to > their servers implying that they can control what "touches" my system. If, > when I connect, I am just another node in a virtual IP space which contains > all other active AOL connections and all systems can freely access my > system, then I need to seriously rethink AOL. I wouldn't think that my > system would have a resolvable name in their address space, but maybe so. > Next time I come up, I'll have to do a DNS lookup of my PC's IP address. > > Incidentally, I enabled the AOL proxy this morning, connected to AOL, and > had another alarm in probably under 1 minute; different IP address but > everything else is the same. > > > -----Original Message----- > > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] > > Sent: Wednesday, September 12, 2001 12:41 PM > > To: william.wells > > Cc: [EMAIL PROTECTED] > > Subject: RE: AOL probe - "just" Code Red > > > > William--- > > > > Are you getting your Internet access from AOL or do you have another > > Internet provide and connect to AOL through that? > > > > I'm no expert on AOL, but my understanding is that it's dial-up access > > uses > > it's own proprietary protocol, and it provide winsock-based IP access > > through it's own virtual network adaptor - at least this is how previous > > versions in the UK worked. > > > > If, however, you have a "proper" Internet connection (ie. broadband or > > proper PPP dialup), and you access AOL over that, then AOL uses it's own > > special port over IP to communicate with it's servers, and it's that port > > you need to allow through your IP firewall. > > > > However, unless you've set your personal firewall rules up correctly, > > there > > is no way you can stop ANY box TRYING to communicate with you on port 80, > > whether from AOL or not. If you're not running a web server of any kind > > on > > your box, then just block port 80, and don't bother configuring your > > firewall to notify you. There is so much background noise on the Internet > > that the value of receiving individual alerts is pretty meaningless > > (although it's obviously useful to look at longer term trends for the > > connections made to your box, to identify repeated connection attempts). > > > > So, although AOL may block communication via it's own protocol from other > > users, you should not rely on them to block anything else, whether from > > other AOL users of anyone on the Internet. You're being scanned at an IP > > level, not a proprietary AOL protocol level.. > > > > If you've never been scanned before, that more due to your luck than > > anything else.... > > > > Russell > > > > > > ----- Forwarded by Russell Donoff/GB/ABNAMRO/NL on 12/09/2001 > > 18:38 > > ----- > > > > > > "william.wells" > > > > <william.wells@pr To: > > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > > > ovell.com> cc: > > > > Subject: RE: AOL probe - > > "just" Code Red > > 12/09/2001 18:21 > > > > > > > > > > > > > > > > > > > > What you are saying implies that other AOL users could access my > > system from > > their systems while I was logged into AOL. I thought AOL blocked > > that - > > perhaps not. I'm still talking to AOL. I've never been scanned > > while on AOL > > previously. > > > > > > > > --__--__-- > > Message: 3 > From: "Harry Whitehouse" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Good Mail List for Cisco Router Config? > Date: Wed, 12 Sep 2001 13:31:21 -0700 > > Hi all! > > I need to add an ARP configuration line to my Cisco 2600 router and > one of the firewall members was kind enough to give me the required > single line command. > > I've got the Cisco ConfigMaker software and am talking to my router, > but because this is my first time configuring one I'm a tad nervous. > I've configured my PIX firewall so I have a bit of experience, but > before I blow my router out of the water, I'd better get some more > help! > > Can anyone recommend an analogous mailing list where I can get some > help with the Cisco router? > > TIA > > Harry > > > --__--__-- > > Message: 4 > From: "Scheidel, Greg (Contractor)" <[EMAIL PROTECTED]> > To: 'Daniel Mester' <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: RE: Reflexive access lists > Date: Wed, 12 Sep 2001 16:56:14 -0400 > > This message is in MIME format. Since your mail reader does not understand > this format, some or all of this message may not be legible. > > ------_=_NextPart_001_01C13BCD.5C859F80 > Content-Type: text/plain; > charset="iso-8859-1" > > The key to making this work (reflexive ACLs on a router with more than 2 > interfaces) is that: > > - Every interface has a static ACL that creates a reflexive ACL. > - Every interface has a static ACL for inbound traffic that includes the > previously created reflexive ACL. > > So for your scenario where you have three interfaces local (192.168.1.1/24), > DMZ (192.168.2.1/24), and ISP (1.1.1.1/30): > > ----- start snippet ----- > ! --------------------------- > ! Access lists & reflexive access lists. > ! - Apply an outbound ACL that defines reflexive ACLs > ! for all traffic. Use one reflexive ACL for connection-oriented, one for > ! connectionless; so that we can specifiy different timeouts. > ! - Apply an inbound ACL that limits inboud traffic to only that > ! which is allowed to *originate* sessions or connectionless queries. > ! End with a reference to the reflexive ACL created by outbound > ! traffic. > ! Applying this pair of ACLs to all interfaces means that you are > ! allowing all of the inbound sessions & connectionless queries that > ! you specifically want, plus are allowing replies to all sessions & > ! connectionless queries that went out this interface previously. > ! > ! Also allows all traffic originating on the router/firewall to go out, > ! and replies to that traffic allowed back in (via reflexive ACLs). > ! --------------------------- > ! > ! default reflexive ACL settings; set stateful timeout to 60 mins > ip reflexive-list timeout 3600 > ! > !! Local (internal) Networks: Outgoing ACL that creates reflexive ACL for > !! inbound traffic. > ip access-list extended local-out > ! > ! connectionless traffic; add lines for each connectionless protocol that > ! you deal with and want a timeout separate from session oriented traffic; > ! 5 min timeout > permit icmp any any reflect local-in-rflx-connectionless timeout 300 > permit udp any any reflect local-in-rflx-connectionless timeout 300 > ! session traffic; everything else; 60 min timeout > permit ip any any reflect local-in-rflx-connection timeout 3600 > ! > !! Local (internal) Networks: Incoming ACL, including check against > !! reflexive ACL > ip access-list extended local-in > ! > ! evaluate the reflexive ACLs created for traffic outbound from interface > evaluate local-in-rflx-connectionless > evaluate local-in-rflx-connection > ! > ! allow internal users out for 'web' traffic > permit tcp 192.168.1.0 0.0.0.255 any eq 80 > permit tcp 192.168.1.0 0.0.0.255 any eq 443 > ! > deny ip any any > ! > ! > !! DMZ: Outgoing ACL that creates reflexive ACL for inbound traffic. > ip access-list extended dmz-out > ! > ! connectionless traffic; add lines for each connectionless protocol that > ! you deal with and want a timeout separate from session oriented traffic; > ! 5 min timeout > permit icmp any any reflect dmz-in-rflx-connectionless timeout 300 > permit udp any any reflect dmz-in-rflx-connectionless timeout 300 > ! session traffic; everything else; 60 min timeout > permit ip any any reflect dmz-in-rflx-connection timeout 3600 > ! > !! DMZ: Incoming ACL, including check against reflexive ACL > ip access-list extended dmz-in > ! > ! evaluate the reflexive ACLs created for traffic outbound from interface > evaluate dmz-in-rflx-connectionless > evaluate dmz-in-rflx-connection > ! > ! generally speaking, don't allow anything to be initiated from the DMZ > ! without good reason > ! > deny ip any any > ! > !! ISP: Outgoing ACL that creates reflexive ACL for inbound traffic. > ip access-list extended local-out > ! > ! connectionless traffic; add lines for each connectionless protocol that > ! you deal with and want a timeout separate from session oriented traffic; > ! 5 min timeout > permit icmp any any reflect isp-in-rflx-connectionless timeout 300 > permit udp any any reflect isp-in-rflx-connectionless timeout 300 > ! session traffic; everything else; 60 min timeout > permit ip any any reflect isp-in-rflx-connection timeout 3600 > ! > !! ISP: Incoming ACL, including check against reflexive ACL > ip access-list extended isp-in > ! > ! evaluate the reflexive ACLs created for traffic outbound from interface > evaluate isp-in-rflx-connectionless > evaluate isp-in-rflx-connection > ! > ! allow the Internet to get to specific hosts on your DMZ on specific ports > permit ip any host 192.168.2.20 80 > permit ip any host 192.168.2.20 443 > ! > deny ip any any > ! > !! Interface configuration > ! > int E0 > desc Local (internal) networks > ip address 192.168.1.1 255.255.255.0 > ip access-group local-in in > ip access-group local-out out > ! > int E1 > desc DMZ > ip address 192.168.2.1 255.255.255.0 > ip access-group dmz-in in > ip access-group dmz-out out > ! > int S0 > desc ISP > ip address 1.1.1.1 255.255.255.252 > ip access-group isp-in in > ip access-group isp-out out > ----- end snippet ----- > > The config snippet is relevant only to reflexive ACLS. I left out lines > you'd want to include in a real-world environment such as > anti-spoofing/land-attack, extra ACL lines to make sure your DMZ is isolated > where necessary, etc in the ACLs; disabling transport inputs on VTYs, SNMP > config, etc. > > So, some sample traffic... > > 192.168.1.50 (internal user) initiates HTTP to 192.168.2.20 (DMZ web > server): > 1) 192.168.1.50 -> 192.168.2.20 allowed by local-in on interface E0 (local) > 2) 192.168.1.50 -> 192.168.2.20 allowed by dmz-out on interface E1 (DMZ). > Line added to reflexive ACL dmz-out-connection. > 3) 192.168.1.50 <- 192.168.2.20 allowed by dmz-in on interface E1 (DMZ) by > virtue of referenced reflexive ACL dmz-out-connection. > 4) 192.168.1.50 <- 192.168.2.20 allowed by local-out on interface E0 > (local). Line added to reflexive ACL local-out-connection. > 5) ... and so on ... Note that the reflexive ACL does not continue to grow > on each subsequent exchange, as the router is smart enough to not add a line > that already exists; the expiratin time (current time + timeout) is updated > instead. And yes you do end up with a line in the local-out-connection > reflexive ACL that is somewhat extraneous; this is a trade-off, and at least > traffic for already existing conversations (I'm avoiding the word session > since this is for session and connection-oriented traffic) is accepted > immediately (at the top of the local-in ACL) when the reflexive ACL is > evaulated instead of having to go through the rest of the ACL to match on > the line that allowed the initial packet that started the conversation. > > 5.5.5.5 (Internet user) initiates HTTP to 192.168.2.20 (DMZ web server): > 1) 5.5.5.5 -> 192.168.2.20 allowed by isp-in on interface S0 (ISP) > 2) 5.5.5.5 -> 192.168.2.20 allowed by dmz-out on interface E1 (DMZ). Line > added to reflexive ACL dmz-out-connection. > 3) 5.5.5.5 <- 192.168.2.20 allowed by dmz-in on interface E1 (DMZ) by virtue > of referenced reflexive ACL dmz-out-connection. > 4) 5.5.5.5 <- 192.168.2.20 allowed by isp-out on interface S0 (ISP). Line > added to reflexive ACL isp-out-connection. > 5) ... and so on ... > > User consoled on the firewall ping tests to 192.168.1.50 (internal user): > 1) 192.168.1.1 -> 192.168.1.50 allowed by local-out on interface E0 (local). > Line added to reflexive ACL local-in-connectionless. > 2) 192.168.1.1 <- 192.168.1.50 allowed by local-in on interface E0 (local) > by virtue of referenced reflexive ACL local-out-connectionless. > > Make sense? > > Greg S. > > > -----Original Message----- > From: Daniel Mester [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 11, 2001 8:17 AM > To: [EMAIL PROTECTED] > Subject: Reflexive access lists > > > Hi all, > i found it pretty weird - but reflexive access list on Cisco (12.1) work > only for outbound access-list. I have a Cisco with 3 interfaces - local > (Ethernet 0), dmz (Ethernet 1), isp (Serial 0). I use reflexive access lists > for my outbound connections from local to ISP - it works fine because > "reflect <LISTNAME>" is used for outbound acl and "evaluate <LISTNAME>" is > used for inbound acl. But what happens if i want to control with reflexive > lists access from local to dmz? This time connection from local to dmz will > be filtered by inbound acl, wouldn't? And otherwise, connection from dmz to > local would be in outbound acl, right? And this way reflexive acl on my > Ethernet0 (local) interface won't work. Example: > > ip access-list extended DMZ-IMZ > evaluate REFLECTED-DMZ > deny ip <dmz-net> any log > permit ip any any > > Above, i do not want anything from DMZ to local if it hasn't been created as > part of local->DMZ connection. Because i use NAT all the traffic between > local and ISP interfaces must go on (permit ip any any). > > ip access-list extended IMZ-DMZ > permit icmp any <dmz-net> reflect REFLECTED-DMZ > permit tcp any <dmz-net> reflect REFLECTED-DMZ > permit udp any <dmz-net> reflect REFLECTED-DMZ > remark ALL OTHER TRAFFIC > permit ip any any > > All the outbound traffic permitted with opening reflexive acl to DMZ. > > Interface ethernet 0 > . . . > ip access-group IMZ-DMZ in > ip access-group DMZ-IMZ out > > This configuration would never work because all the packets from local to > dmz wouldn't be reflected - the would be permitted by last rule - "permit ip > any any". > I know i can put usual access lists with "established" - but after flexible > IPFilter on BSD it sounds horrible. > Any ideas? > Daniel Mester. > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > ------_=_NextPart_001_01C13BCD.5C859F80 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> > <HTML> > <HEAD> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = > charset=3Diso-8859-1"> > <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = > 5.5.2654.45"> > <TITLE>RE: Reflexive access lists</TITLE> > </HEAD> > <BODY> > > <P><FONT SIZE=3D2>The key to making this work (reflexive ACLs on a = > router with more than 2 interfaces) is that:</FONT> > </P> > > <P><FONT SIZE=3D2>- Every interface has a static ACL that creates a = > reflexive ACL.</FONT> > <BR><FONT SIZE=3D2>- Every interface has a static ACL for inbound = > traffic that includes the previously created reflexive ACL.</FONT> > </P> > > <P><FONT SIZE=3D2>So for your scenario where you have three interfaces = > local (192.168.1.1/24), DMZ (192.168.2.1/24), and ISP = > (1.1.1.1/30):</FONT></P> > > <P><FONT SIZE=3D2>----- start snippet -----</FONT> > <BR><FONT SIZE=3D2>! ---------------------------</FONT> > <BR><FONT SIZE=3D2>! Access lists & reflexive access lists.</FONT> > <BR><FONT SIZE=3D2>! - Apply an outbound ACL that defines reflexive = > ACLs</FONT> > <BR><FONT SIZE=3D2>! for all traffic. Use one = > reflexive ACL for connection-oriented, one for</FONT> > <BR><FONT SIZE=3D2>! connectionless; so that we can = > specifiy different timeouts.</FONT> > <BR><FONT SIZE=3D2>! - Apply an inbound ACL that limits inboud traffic = > to only that</FONT> > <BR><FONT SIZE=3D2>! which is allowed to *originate* = > sessions or connectionless queries.</FONT> > <BR><FONT SIZE=3D2>! End with a reference to the reflexive = > ACL created by outbound</FONT> > <BR><FONT SIZE=3D2>! traffic.</FONT> > <BR><FONT SIZE=3D2>! Applying this pair of ACLs to all interfaces means = > that you are</FONT> > <BR><FONT SIZE=3D2>! allowing all of the inbound sessions & = > connectionless queries that</FONT> > <BR><FONT SIZE=3D2>! you specifically want, plus are allowing replies = > to all sessions &</FONT> > <BR><FONT SIZE=3D2>! connectionless queries that went out this = > interface previously.</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>! Also allows all traffic originating on the = > router/firewall to go out,</FONT> > <BR><FONT SIZE=3D2>! and replies to that traffic allowed back in (via = > reflexive ACLs).</FONT> > <BR><FONT SIZE=3D2>! ---------------------------</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>! default reflexive ACL settings; set stateful = > timeout to 60 mins</FONT> > <BR><FONT SIZE=3D2>ip reflexive-list timeout 3600</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>!! Local (internal) Networks: Outgoing ACL that = > creates reflexive ACL for</FONT> > <BR><FONT SIZE=3D2>!! inbound traffic.</FONT> > <BR><FONT SIZE=3D2>ip access-list extended local-out</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! connectionless traffic; add lines for each = > connectionless protocol that</FONT> > <BR><FONT SIZE=3D2> ! you deal with and want a timeout separate = > from session oriented traffic;</FONT> > <BR><FONT SIZE=3D2> ! 5 min timeout</FONT> > <BR><FONT SIZE=3D2> permit icmp any any reflect = > local-in-rflx-connectionless timeout 300</FONT> > <BR><FONT SIZE=3D2> permit udp any any reflect = > local-in-rflx-connectionless timeout 300</FONT> > <BR><FONT SIZE=3D2> ! session traffic; everything else; 60 min = > timeout</FONT> > <BR><FONT SIZE=3D2> permit ip any any reflect = > local-in-rflx-connection timeout 3600</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>!! Local (internal) Networks: Incoming ACL, = > including check against</FONT> > <BR><FONT SIZE=3D2>!! reflexive ACL</FONT> > <BR><FONT SIZE=3D2>ip access-list extended local-in</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! evaluate the reflexive ACLs created for = > traffic outbound from interface</FONT> > <BR><FONT SIZE=3D2> evaluate local-in-rflx-connectionless</FONT> > <BR><FONT SIZE=3D2> evaluate local-in-rflx-connection</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! allow internal users out for 'web' = > traffic</FONT> > <BR><FONT SIZE=3D2> permit tcp 192.168.1.0 0.0.0.255 any eq = > 80</FONT> > <BR><FONT SIZE=3D2> permit tcp 192.168.1.0 0.0.0.255 any eq = > 443</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> deny ip any any</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>!! DMZ: Outgoing ACL that creates reflexive ACL for = > inbound traffic.</FONT> > <BR><FONT SIZE=3D2>ip access-list extended dmz-out</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! connectionless traffic; add lines for each = > connectionless protocol that</FONT> > <BR><FONT SIZE=3D2> ! you deal with and want a timeout separate = > from session oriented traffic;</FONT> > <BR><FONT SIZE=3D2> ! 5 min timeout</FONT> > <BR><FONT SIZE=3D2> permit icmp any any reflect = > dmz-in-rflx-connectionless timeout 300</FONT> > <BR><FONT SIZE=3D2> permit udp any any reflect = > dmz-in-rflx-connectionless timeout 300</FONT> > <BR><FONT SIZE=3D2> ! session traffic; everything else; 60 min = > timeout</FONT> > <BR><FONT SIZE=3D2> permit ip any any reflect = > dmz-in-rflx-connection timeout 3600</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>!! DMZ: Incoming ACL, including check against = > reflexive ACL</FONT> > <BR><FONT SIZE=3D2>ip access-list extended dmz-in</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! evaluate the reflexive ACLs created for = > traffic outbound from interface</FONT> > <BR><FONT SIZE=3D2> evaluate dmz-in-rflx-connectionless</FONT> > <BR><FONT SIZE=3D2> evaluate dmz-in-rflx-connection</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! generally speaking, don't allow anything to = > be initiated from the DMZ</FONT> > <BR><FONT SIZE=3D2> ! without good reason</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> deny ip any any</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>!! ISP: Outgoing ACL that creates reflexive ACL for = > inbound traffic.</FONT> > <BR><FONT SIZE=3D2>ip access-list extended local-out</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! connectionless traffic; add lines for each = > connectionless protocol that</FONT> > <BR><FONT SIZE=3D2> ! you deal with and want a timeout separate = > from session oriented traffic;</FONT> > <BR><FONT SIZE=3D2> ! 5 min timeout</FONT> > <BR><FONT SIZE=3D2> permit icmp any any reflect = > isp-in-rflx-connectionless timeout 300</FONT> > <BR><FONT SIZE=3D2> permit udp any any reflect = > isp-in-rflx-connectionless timeout 300</FONT> > <BR><FONT SIZE=3D2> ! session traffic; everything else; 60 min = > timeout</FONT> > <BR><FONT SIZE=3D2> permit ip any any reflect = > isp-in-rflx-connection timeout 3600</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>!! ISP: Incoming ACL, including check against = > reflexive ACL</FONT> > <BR><FONT SIZE=3D2>ip access-list extended isp-in</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! evaluate the reflexive ACLs created for = > traffic outbound from interface</FONT> > <BR><FONT SIZE=3D2> evaluate isp-in-rflx-connectionless</FONT> > <BR><FONT SIZE=3D2> evaluate isp-in-rflx-connection</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> ! allow the Internet to get to specific hosts = > on your DMZ on specific ports</FONT> > <BR><FONT SIZE=3D2> permit ip any host 192.168.2.20 80</FONT> > <BR><FONT SIZE=3D2> permit ip any host 192.168.2.20 443</FONT> > <BR><FONT SIZE=3D2> !</FONT> > <BR><FONT SIZE=3D2> deny ip any any</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>!! Interface configuration</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>int E0</FONT> > <BR><FONT SIZE=3D2> desc Local (internal) networks</FONT> > <BR><FONT SIZE=3D2> ip address 192.168.1.1 255.255.255.0</FONT> > <BR><FONT SIZE=3D2> ip access-group local-in in</FONT> > <BR><FONT SIZE=3D2> ip access-group local-out out</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>int E1</FONT> > <BR><FONT SIZE=3D2> desc DMZ</FONT> > <BR><FONT SIZE=3D2> ip address 192.168.2.1 255.255.255.0</FONT> > <BR><FONT SIZE=3D2> ip access-group dmz-in in</FONT> > <BR><FONT SIZE=3D2> ip access-group dmz-out out</FONT> > <BR><FONT SIZE=3D2>!</FONT> > <BR><FONT SIZE=3D2>int S0</FONT> > <BR><FONT SIZE=3D2> desc ISP</FONT> > <BR><FONT SIZE=3D2> ip address 1.1.1.1 255.255.255.252</FONT> > <BR><FONT SIZE=3D2> ip access-group isp-in in</FONT> > <BR><FONT SIZE=3D2> ip access-group isp-out out</FONT> > <BR><FONT SIZE=3D2>----- end snippet -----</FONT> > </P> > > <P><FONT SIZE=3D2>The config snippet is relevant only to reflexive = > ACLS. I left out lines you'd want to include in a real-world = > environment such as anti-spoofing/land-attack, extra ACL lines to make = > sure your DMZ is isolated where necessary, etc in the ACLs; disabling = > transport inputs on VTYs, SNMP config, etc.</FONT></P> > > <P><FONT SIZE=3D2>So, some sample traffic...</FONT> > </P> > > <P><FONT SIZE=3D2>192.168.1.50 (internal user) initiates HTTP to = > 192.168.2.20 (DMZ web server):</FONT> > <BR><FONT SIZE=3D2>1) 192.168.1.50 -> 192.168.2.20 allowed by = > local-in on interface E0 (local)</FONT> > <BR><FONT SIZE=3D2>2) 192.168.1.50 -> 192.168.2.20 allowed by = > dmz-out on interface E1 (DMZ). Line added to reflexive ACL = > dmz-out-connection.</FONT></P> > > <P><FONT SIZE=3D2>3) 192.168.1.50 <- 192.168.2.20 allowed by dmz-in = > on interface E1 (DMZ) by virtue of referenced reflexive ACL = > dmz-out-connection.</FONT></P> > > <P><FONT SIZE=3D2>4) 192.168.1.50 <- 192.168.2.20 allowed by = > local-out on interface E0 (local). Line added to reflexive ACL = > local-out-connection.</FONT></P> > > <P><FONT SIZE=3D2>5) ... and so on ... Note that the reflexive = > ACL does not continue to grow on each subsequent exchange, as the = > router is smart enough to not add a line that already exists; the = > expiratin time (current time + timeout) is updated instead. And = > yes you do end up with a line in the local-out-connection reflexive ACL = > that is somewhat extraneous; this is a trade-off, and at least traffic = > for already existing conversations (I'm avoiding the word session since = > this is for session and connection-oriented traffic) is accepted = > immediately (at the top of the local-in ACL) when the reflexive ACL is = > evaulated instead of having to go through the rest of the ACL to match = > on the line that allowed the initial packet that started the = > conversation.</FONT></P> > > <P><FONT SIZE=3D2>5.5.5.5 (Internet user) initiates HTTP to = > 192.168.2.20 (DMZ web server):</FONT> > <BR><FONT SIZE=3D2>1) 5.5.5.5 -> 192.168.2.20 allowed by isp-in on = > interface S0 (ISP)</FONT> > <BR><FONT SIZE=3D2>2) 5.5.5.5 -> 192.168.2.20 allowed by dmz-out on = > interface E1 (DMZ). Line added to reflexive ACL = > dmz-out-connection.</FONT> > <BR><FONT SIZE=3D2>3) 5.5.5.5 <- 192.168.2.20 allowed by dmz-in on = > interface E1 (DMZ) by virtue of referenced reflexive ACL = > dmz-out-connection.</FONT></P> > > <P><FONT SIZE=3D2>4) 5.5.5.5 <- 192.168.2.20 allowed by isp-out on = > interface S0 (ISP). Line added to reflexive ACL = > isp-out-connection.</FONT> > <BR><FONT SIZE=3D2>5) ... and so on ...</FONT> > </P> > > <P><FONT SIZE=3D2>User consoled on the firewall ping tests to = > 192.168.1.50 (internal user):</FONT> > <BR><FONT SIZE=3D2>1) 192.168.1.1 -> 192.168.1.50 allowed by = > local-out on interface E0 (local). Line added to reflexive ACL = > local-in-connectionless.</FONT></P> > > <P><FONT SIZE=3D2>2) 192.168.1.1 <- 192.168.1.50 allowed by local-in = > on interface E0 (local) by virtue of referenced reflexive ACL = > local-out-connectionless.</FONT></P> > > <P><FONT SIZE=3D2>Make sense?</FONT> > </P> > > <P><FONT SIZE=3D2>Greg S.</FONT> > </P> > <BR> > > <P><FONT SIZE=3D2>-----Original Message-----</FONT> > <BR><FONT SIZE=3D2>From: Daniel Mester [<A = > HREF=3D"mailto:[EMAIL PROTECTED]";>mailto:[EMAIL PROTECTED]</A>]</FONT> > <BR><FONT SIZE=3D2>Sent: Tuesday, September 11, 2001 8:17 AM</FONT> > <BR><FONT SIZE=3D2>To: [EMAIL PROTECTED]</FONT> > <BR><FONT SIZE=3D2>Subject: Reflexive access lists</FONT> > </P> > <BR> > > <P><FONT SIZE=3D2>Hi all,</FONT> > <BR><FONT SIZE=3D2>i found it pretty weird - but reflexive access list = > on Cisco (12.1) work</FONT> > <BR><FONT SIZE=3D2>only for outbound access-list. I have a Cisco with 3 = > interfaces - local</FONT> > <BR><FONT SIZE=3D2>(Ethernet 0), dmz (Ethernet 1), isp (Serial 0). I = > use reflexive access lists</FONT> > <BR><FONT SIZE=3D2>for my outbound connections from local to ISP - it = > works fine because</FONT> > <BR><FONT SIZE=3D2>"reflect <LISTNAME>" is used for = > outbound acl and "evaluate <LISTNAME>" is</FONT> > <BR><FONT SIZE=3D2>used for inbound acl. But what happens if i want to = > control with reflexive</FONT> > <BR><FONT SIZE=3D2>lists access from local to dmz? This time connection = > from local to dmz will</FONT> > <BR><FONT SIZE=3D2>be filtered by inbound acl, wouldn't? And otherwise, = > connection from dmz to</FONT> > <BR><FONT SIZE=3D2>local would be in outbound acl, right? And this way = > reflexive acl on my</FONT> > <BR><FONT SIZE=3D2>Ethernet0 (local) interface won't work. = > Example:</FONT> > </P> > > <P><FONT SIZE=3D2>ip access-list extended DMZ-IMZ</FONT> > <BR><FONT SIZE=3D2> evaluate REFLECTED-DMZ</FONT> > <BR><FONT SIZE=3D2> deny ip <dmz-net> any = > log</FONT> > <BR><FONT SIZE=3D2> permit ip any any</FONT> > </P> > > <P><FONT SIZE=3D2>Above, i do not want anything from DMZ to local if it = > hasn't been created as</FONT> > <BR><FONT SIZE=3D2>part of local->DMZ connection. Because i use NAT = > all the traffic between</FONT> > <BR><FONT SIZE=3D2>local and ISP interfaces must go on (permit ip any = > any).</FONT> > </P> > > <P><FONT SIZE=3D2>ip access-list extended IMZ-DMZ</FONT> > <BR><FONT SIZE=3D2> permit icmp any <dmz-net> reflect = > REFLECTED-DMZ</FONT> > <BR><FONT SIZE=3D2> permit tcp any <dmz-net> reflect = > REFLECTED-DMZ</FONT> > <BR><FONT SIZE=3D2> permit udp any <dmz-net> reflect = > REFLECTED-DMZ</FONT> > <BR><FONT SIZE=3D2> remark ALL OTHER TRAFFIC</FONT> > <BR><FONT SIZE=3D2> permit ip any any</FONT> > </P> > > <P><FONT SIZE=3D2>All the outbound traffic permitted with opening = > reflexive acl to DMZ.</FONT> > </P> > > <P><FONT SIZE=3D2>Interface ethernet 0</FONT> > <BR><FONT SIZE=3D2> . . .</FONT> > <BR><FONT SIZE=3D2> ip access-group IMZ-DMZ in</FONT> > <BR><FONT SIZE=3D2> ip access-group DMZ-IMZ out</FONT> > </P> > > <P><FONT SIZE=3D2>This configuration would never work because all the = > packets from local to</FONT> > <BR><FONT SIZE=3D2>dmz wouldn't be reflected - the would be permitted = > by last rule - "permit ip</FONT> > <BR><FONT SIZE=3D2>any any".</FONT> > <BR><FONT SIZE=3D2>I know i can put usual access lists with = > "established" - but after flexible</FONT> > <BR><FONT SIZE=3D2>IPFilter on BSD it sounds horrible.</FONT> > <BR><FONT SIZE=3D2>Any ideas?</FONT> > <BR><FONT SIZE=3D2> Daniel Mester.</FONT> > </P> > > <P><FONT = > SIZE=3D2>_______________________________________________</FONT> > <BR><FONT SIZE=3D2>Firewalls mailing list</FONT> > <BR><FONT SIZE=3D2>[EMAIL PROTECTED]</FONT> > <BR><FONT SIZE=3D2><A = > HREF=3D"http://lists.gnac.net/mailman/listinfo/firewalls"; = > TARGET=3D"_blank">http://lists.gnac.net/mailman/listinfo/firewalls</A></= > FONT> > </P> > > </BODY> > </HTML> > ------_=_NextPart_001_01C13BCD.5C859F80-- > > > --__--__-- > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > End of Firewalls Digest _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
