Re: ACL List Order

2024-02-15 Thread Wally B 
So, I removed the xxx.xxx.xxx.170/32 from the source so it's just
xxx.xxx.xxx.235/32,
and it works.

Can we not use a comma-separated list? This was my understanding so, if
not, this is my bad.

Thanks!
Wally

On Thu, Feb 15, 2024 at 11:33 AM Wally B  wrote:

> It seems the Address is correct
>
> 17:30:26.747007 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
> Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
> 8,nop,nop,sackOK], length 0
> 17:30:27.749514 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
> Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
> 8,nop,nop,sackOK], length 0
> 17:30:29.758959 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
> Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
> 8,nop,nop,sackOK], length 0
> 17:30:33.766394 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
> Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
> 8,nop,nop,sackOK], length 0
> 17:30:41.779309 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
> Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
> 8,nop,nop,sackOK], length 0
>
>
> ciderlist is
>
> xxx.xxx.xxx.235/32,xxx.xxx.xxx.170/32
> I'm coming from .235
>
>
>
>
>
> On Thu, Feb 15, 2024 at 11:05 AM Wei ZHOU  wrote:
>
>> Yes.
>>
>> I suspect the source IP of the packets to the VR is not the IP
>> `x.x.x.x/32`
>> in the rule.
>> You can use tcpdump in the VR to capture the packets and check the source
>> of the packets.
>>
>> -Wei
>>
>> On Thu, 15 Feb 2024 at 17:32, Wally B  wrote:
>>
>> > I'm trying to add an allow rule for management into my ACL. I have a
>> Deny
>> > All inbound at the bottom of the ACL and the allow management at the
>> top.
>> > Yet I cannot SSH into Virtual Machines in the Subnet. If I change the
>> Deny
>> > All Inbound to Allow or just remove it everything works.
>> >
>> > My understanding is that if I have an allow-all from x.x.x.x/32 at rule
>> > number 1 it would supersede any deny rules. Is that not correct?
>> >
>> > Here's my acl exported
>> >
>> >
>> > 6b7f371d-3dc4-469e-b5cf-6b74c1762195 all Ingress Active x.x.x.x/32
>> > 2d3758c6-2b98-433b-b507-c038ad03f33b test-acl-1 1 Allow TRUE SYSTEM:
>> > MANAGEMENT INBOUND
>> > 5baa2be8-39d1-4c6f-b2ee-e42b69f52242 icmp Ingress Active 0.0.0.0/0
>> > 2d3758c6-2b98-433b-b507-c038ad03f33b
>> >  test-acl-1 10998
>> > Deny TRUE Deny All
>> > ICMP Inbound
>> > 90801df9-3dcc-4406-8cf6-2923b70ce46a all Ingress Active 0.0.0.0/0
>> > 2d3758c6-2b98-433b-b507-c038ad03f33b
>> >  test-acl-1 11000
>> > Deny TRUE Deny All
>> > Inbound
>> >
>>
>

Re: ACL List Order

2024-02-15 Thread Wally B 
It seems the Address is correct

17:30:26.747007 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
17:30:27.749514 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
17:30:29.758959 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
17:30:33.766394 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
17:30:41.779309 eth1  In  IP xxx.xxx.xxx.235.61700 > xxx.xxx.xxx.153.:
Flags [S], seq 3211985522, win 64240, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0


ciderlist is

xxx.xxx.xxx.235/32,xxx.xxx.xxx.170/32
I'm coming from .235





On Thu, Feb 15, 2024 at 11:05 AM Wei ZHOU  wrote:

> Yes.
>
> I suspect the source IP of the packets to the VR is not the IP `x.x.x.x/32`
> in the rule.
> You can use tcpdump in the VR to capture the packets and check the source
> of the packets.
>
> -Wei
>
> On Thu, 15 Feb 2024 at 17:32, Wally B  wrote:
>
> > I'm trying to add an allow rule for management into my ACL. I have a Deny
> > All inbound at the bottom of the ACL and the allow management at the top.
> > Yet I cannot SSH into Virtual Machines in the Subnet. If I change the
> Deny
> > All Inbound to Allow or just remove it everything works.
> >
> > My understanding is that if I have an allow-all from x.x.x.x/32 at rule
> > number 1 it would supersede any deny rules. Is that not correct?
> >
> > Here's my acl exported
> >
> >
> > 6b7f371d-3dc4-469e-b5cf-6b74c1762195 all Ingress Active x.x.x.x/32
> > 2d3758c6-2b98-433b-b507-c038ad03f33b test-acl-1 1 Allow TRUE SYSTEM:
> > MANAGEMENT INBOUND
> > 5baa2be8-39d1-4c6f-b2ee-e42b69f52242 icmp Ingress Active 0.0.0.0/0
> > 2d3758c6-2b98-433b-b507-c038ad03f33b
> >  test-acl-1 10998
> > Deny TRUE Deny All
> > ICMP Inbound
> > 90801df9-3dcc-4406-8cf6-2923b70ce46a all Ingress Active 0.0.0.0/0
> > 2d3758c6-2b98-433b-b507-c038ad03f33b
> >  test-acl-1 11000
> > Deny TRUE Deny All
> > Inbound
> >
>

Re: ACL List Order

2024-02-15 Thread Wei ZHOU 
Yes.

I suspect the source IP of the packets to the VR is not the IP `x.x.x.x/32`
in the rule.
You can use tcpdump in the VR to capture the packets and check the source
of the packets.

-Wei

On Thu, 15 Feb 2024 at 17:32, Wally B  wrote:

> I'm trying to add an allow rule for management into my ACL. I have a Deny
> All inbound at the bottom of the ACL and the allow management at the top.
> Yet I cannot SSH into Virtual Machines in the Subnet. If I change the Deny
> All Inbound to Allow or just remove it everything works.
>
> My understanding is that if I have an allow-all from x.x.x.x/32 at rule
> number 1 it would supersede any deny rules. Is that not correct?
>
> Here's my acl exported
>
>
> 6b7f371d-3dc4-469e-b5cf-6b74c1762195 all Ingress Active x.x.x.x/32
> 2d3758c6-2b98-433b-b507-c038ad03f33b test-acl-1 1 Allow TRUE SYSTEM:
> MANAGEMENT INBOUND
> 5baa2be8-39d1-4c6f-b2ee-e42b69f52242 icmp Ingress Active 0.0.0.0/0
> 2d3758c6-2b98-433b-b507-c038ad03f33b
>  test-acl-1 10998
> Deny TRUE Deny All
> ICMP Inbound
> 90801df9-3dcc-4406-8cf6-2923b70ce46a all Ingress Active 0.0.0.0/0
> 2d3758c6-2b98-433b-b507-c038ad03f33b
>  test-acl-1 11000
> Deny TRUE Deny All
> Inbound
>

ACL List Order

2024-02-15 Thread Wally B 
I'm trying to add an allow rule for management into my ACL. I have a Deny
All inbound at the bottom of the ACL and the allow management at the top.
Yet I cannot SSH into Virtual Machines in the Subnet. If I change the Deny
All Inbound to Allow or just remove it everything works.

My understanding is that if I have an allow-all from x.x.x.x/32 at rule
number 1 it would supersede any deny rules. Is that not correct?

Here's my acl exported


6b7f371d-3dc4-469e-b5cf-6b74c1762195 all Ingress Active x.x.x.x/32
2d3758c6-2b98-433b-b507-c038ad03f33b test-acl-1 1 Allow TRUE SYSTEM:
MANAGEMENT INBOUND
5baa2be8-39d1-4c6f-b2ee-e42b69f52242 icmp Ingress Active 0.0.0.0/0
2d3758c6-2b98-433b-b507-c038ad03f33b test-acl-1 10998 Deny TRUE Deny All
ICMP Inbound
90801df9-3dcc-4406-8cf6-2923b70ce46a all Ingress Active 0.0.0.0/0
2d3758c6-2b98-433b-b507-c038ad03f33b test-acl-1 11000 Deny TRUE Deny All
Inbound