Firewalls in service provider environments

Henry Yen henry at
Wed Feb 8 21:23:35 UTC 2012

On Wed, Feb 08, 2012 at 08:25:18AM -0600, Matthew Reath wrote:
> > If you apply the ACL you showed as an inbound ACL on your provider facing
> > interfaces, you will be breaking any connections that exit your network
> > with source ports from your list of bad ports.  For example, you connect
> > out from x.x.x.x:8888 to y.y.y.y:80, then the response packets coming back
> > into your network will be from y.y.y.y:80 to x.x.x.x:8888 and will be
> > dropped by your ACL.

> Good point. Adding in an established entry, although may open you up for
> TCP/SYN sort of packets is a better trade off than affecting customer
> traffic.

I've always thought that reflexive access lists were quite elegant,
and a much better method than established, albeit for edge networks.

Do they not work in the SP space?

Henry Yen                                       Aegis Information Systems, Inc.
Senior Systems Programmer                       Hicksville, New York

More information about the NANOG mailing list