Firewalls in service provider environments
henry at AegisInfoSys.com
Wed Feb 8 21:23:35 UTC 2012
On Wed, Feb 08, 2012 at 08:25:18AM -0600, Matthew Reath wrote:
> > If you apply the ACL you showed as an inbound ACL on your provider facing
> > interfaces, you will be breaking any connections that exit your network
> > with source ports from your list of bad ports. For example, you connect
> > out from x.x.x.x:8888 to y.y.y.y:80, then the response packets coming back
> > into your network will be from y.y.y.y:80 to x.x.x.x:8888 and will be
> > dropped by your ACL.
> Good point. Adding in an established entry, although may open you up for
> TCP/SYN sort of packets is a better trade off than affecting customer
I've always thought that reflexive access lists were quite elegant,
and a much better method than established, albeit for edge networks.
Do they not work in the SP space?
Henry Yen Aegis Information Systems, Inc.
Senior Systems Programmer Hicksville, New York
More information about the NANOG