Firewalls in service provider environments

Matthew Reath matt at mattreath.com
Wed Feb 8 13:28:41 CST 2012


> On Wed, Feb 8, 2012 at 9:25 AM, Matthew Reath <matt at mattreath.com> wrote:
>
>> Good point. Adding in an established entry, although may open you up for
>> TCP/SYN sort of packets is a better trade off than affecting customer
>> traffic.
>
> 'established' is explicitly NOT 'syn' ...
> maybe you meant 'ack flood' ? (or rst flood? or .... but certainly not
> syn flood)
>

If I had an 'established' entry on an inbound ACL to filter traffic coming
from my upstream provider wouldn't SYN ACK (2nd step in handshake) packets
be allowed to pass the ACL because of this?

But I see your point a connection initiation from external sources with
just the SYN flag set would not be allowed.  However if a session is
initiated internally the returning SYN ACK from the external server would
be allowed as would ACK and data packets with ACK set.






More information about the NANOG mailing list