>why should I setup ACLs on a screening router for some kind of traffic (e.g. ICMP, >maybe restrict some ports) although the firewall itself filters that traffic? Why >should I setup ACLs on an internal screening router?
You should base all your network security on the principal of "defense in layers." For example, (INET)-->|FW-->ACLs and IDS -->OS patches/end user security training. This builds in reliability, redundancy, and increases the time it takes to penetrate a network. ACLs also help to slow or prevent internal (employee) snooping and/or hacking. If you only use a firewall and it is defeated, what do you have left ??? ~S~ Disclaimer: My own two cents.
