[AusNOG] ACL question

James Hodgkinson yaleman at ricetek.net
Sat Dec 3 10:00:19 EST 2016 

That'll work... for various values of work, and for various values
of security.




On Sat, 3 Dec 2016, at 08:50, Alex Samad wrote:

> Hi

> 

> Let me expand a bit.

> 

> I have 2 sets of routers that have 3-4 ISP connected and I apply very
> broad ACL's here.  They are routeros box.
> 

> They both conect to a shared vlan and then onto a single ASA5520.

> 

> I want to allow tcp packets that are part of a stream ... in through
> these routers.
> 

> I can't used established because in routeros it depens on the
> underlying firewall seeing the initial syn packet or atleast seeing an
> outbound tcp packet ( as I allow all out).
> 

> Working from memory. 

> 

> initial packet -> Syn

> initial reply -> syn,ack

> 3rd is syn,ack

> 

> every other packet (valid) has a ack

> 

> end is FIN (does it have an ack ?)

> 

> does RST have an ack ?

> 

> so if I allow 

> ack 

> fin

> rst 

> 

> packets through that should cover all the tcp packets after the
> initial syn
> 

> 

> 

> 

> Alex

> 

> 

> 

> 

> 

> 

> On 3 December 2016 at 00:04, Tom Storey <tom at snnap.net> wrote:

>> If its a Cisco, might a reflexive ACL help?

>> 

>> On 2 December 2016 at 02:51, Alex Samad <alex at samad.com.au> wrote:

>>> Hi

>>> 

>>> having a blonde moment.

>>> 

>>> I want to set an ACL to allow TCP streams through a firewall where
>>> there is asymmetric routing in place. So a stream that might be
>>> initiated via a different path, comes via this router mid stream
>>> 

>>> If I allow tcp packets that have ACK and/or RST. that should cover
>>> all packets in a tcp stream after the initial hand shake.
>>> 

>>> 

>>> 

>>> Alex

>>> 

>>> _______________________________________________
>>>  AusNOG mailing list AusNOG at lists.ausnog.net
>>>  http://lists.ausnog.net/mailman/listinfo/ausnog
> _________________________________________________

> AusNOG mailing list

> AusNOG at lists.ausnog.net

> http://lists.ausnog.net/mailman/listinfo/ausnog


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20161203/82b01d78/attachment.html>

More information about the AusNOG mailing list