Firewalls in service provider environments

Matthew Reath matt at mattreath.com
Tue Feb 7 16:35:44 CST 2012


> On Tue, Feb 7, 2012 at 4:52 PM, Matthew Reath <matt at mattreath.com> wrote:
>> Here is the template we typically use (or a variant of it):
>>
>> <-- snippet -->
>> access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
>> access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
>> access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
>> access-list 102 deny   ip 0.0.0.0 0.255.255.255 any
>> access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
>> access-list 102 deny   ip 224.0.0.0 15.255.255.255 any
>> access-list 102 deny   ip host 255.255.255.255 any
>> access-list 102 deny   tcp any any eq 135
>> access-list 102 deny   udp any any eq 135
>> access-list 102 deny   udp any any eq netbios-ns
>> access-list 102 deny   tcp any any eq 139
>> access-list 102 deny   udp any any eq netbios-ss
>> access-list 102 deny   tcp any any eq 445
>> access-list 102 deny   tcp any any eq 593
>> access-list 102 deny   tcp any any eq 4444
>> access-list 102 deny   tcp any any eq 9996
>> access-list 102 deny   tcp any any eq 5554
>> access-list 102 deny   tcp any any eq 8888
>> access-list 102 deny   tcp any any eq 7778
>> access-list 102 deny   tcp any any eq 8594
>> access-list 102 deny   tcp any any eq 8563
>> access-list 102 deny   tcp any any eq 1434
>> <-- end snippet -->
>
> One of my customers has a list like that. They can't understand why
> one in every hundred or so TCP connections on port 443 fails.
>
> Hint: you forgot "access-list 102 permit tcp any any established"
> after "access-list 102 deny   ip host 255.255.255.255 any". The
> destination port in one direction is the source port in the other and
> many of those are dynamic source ports picked by Windows. Unless you
> restrict that filter to just packets attempting to initiate a new
> connection, you're shooting yourself in the foot.
>
> Regards,
> Bill Herrin
>
>
>
>
> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>

Yeah agreed.  The only place this gets applied is inbound on the interface
facing an upstream provider. ACLs ingress from end customers are much
different. In theory this could cause issues with externally initiated
traffic that use lets say 8888 as its random source port.

-Matt







More information about the NANOG mailing list