Firewalls in service provider environments

Henry Yen henry at AegisInfoSys.com
Wed Feb 8 21:23:35 UTC 2012


On Wed, Feb 08, 2012 at 08:25:18AM -0600, Matthew Reath wrote:
> > If you apply the ACL you showed as an inbound ACL on your provider facing
> > interfaces, you will be breaking any connections that exit your network
> > with source ports from your list of bad ports.  For example, you connect
> > out from x.x.x.x:8888 to y.y.y.y:80, then the response packets coming back
> > into your network will be from y.y.y.y:80 to x.x.x.x:8888 and will be
> > dropped by your ACL.

> Good point. Adding in an established entry, although may open you up for
> TCP/SYN sort of packets is a better trade off than affecting customer
> traffic.

I've always thought that reflexive access lists were quite elegant,
and a much better method than established, albeit for edge networks.

Do they not work in the SP space?

--
Henry Yen                                       Aegis Information Systems, Inc.
Senior Systems Programmer                       Hicksville, New York




More information about the NANOG mailing list