topic Re: Cisco ios acl vs iptables. difference, comparison, benefit in Operating System - Linux

Cisco ios acl vs iptables. difference, comparison, benefit

farhan_4 — Thu, 19 May 2005 12:43:03 GMT

Hi
can any one help me about different implementation and testing of Ptach o matic : string for iptables. Also the Cisco ios acl vs iptables. difference, comparison, benefit.
like to hear different configuration example and experience about it.
been through the netfilters web site , cannot find detail about it and also seen two links on web about it, nothing more,,,, really need to hear from any one used it

Regards
Fani
"Edited to comply with ITRC Guidelines"

Re: Cisco ios acl vs iptables. difference, comparison, benefit

Steven E. Protter — Thu, 19 May 2005 23:33:28 GMT

I've found some problems with iptables over the years.

I would say that a combination of iptables and router filtering would be useful in stopping port scanning attacks.

SEP

Re: Cisco ios acl vs iptables. difference, comparison, benefit

farhan_4 — Fri, 20 May 2005 06:37:34 GMT

wt kind of problem u had experienced with iptables,,, and how do u mean that combination of iptables and ios acl will provide bettter frewall

local lan--- [iptables]---[IOS acl]---WAN

do u mean this kind of senario?

Re: Cisco ios acl vs iptables. difference, comparison, benefit

Stuart Browne — Fri, 20 May 2005 07:15:28 GMT

I've personally not used the Cisco IOS' ACL's much, as I've always done it through a Linux box.

Since I grasped the operational concepts of 'iptables', I've not had any issues. I learnt my filtering/firewaling on Linux back on the 'ipfwadm' (1.3/2.0 series kernel) tools, then transisitioned to 'ipchains' (2.2/2.4 series), then on to 'iptables' when it became aparent that it was a stable and powerful tool in the Linux arsenal.

As a filtering tool, I find it invaluable, and easier to manage than Cisco's ACL's.

But thought needs to be taken in the scenario of double-router/firewall in a gatway chain.

The howto's on the IPTables website ( http://www.iptables.org/ ) will give operational instructions, not really an overall feeling.

I guess my question to you would be, what are your end goals? What are you trying to achieve with Cisco ACL's or Linux IPTables?

Stateful Firewall? Packet filter? Packet manipulation and altering?

Re: Cisco ios acl vs iptables. difference, comparison, benefit

farhan_4 — Sat, 21 May 2005 11:05:22 GMT

Im mainly concern about using it for Content based filtering, the contents in the payload of frame.
and preventing against DoS attacks

Re: Cisco ios acl vs iptables. difference, comparison, benefit

Florian Heigl (new acc) — Mon, 23 May 2005 19:15:44 GMT

To my eye the cisco ACLs win in that they have a very nice support for traffic shaping which will surely be helpful in a DDOS scenario.

for my new lan slowly reality I have a cisco router to do some edge filtering, i.e. it will limit icmp ping requests/replies to 1% of the lines maximum.

for real ddos protection, the cisco ACLs are not enough, at least to my limited understanding one would require a larger setup with toys like netflow. but I have no experience there, so I'm not sure.

You'll find very good documentation on the Cisco side of things both at cisco.com (manuals) or at routergod.com (howtos).

I'd really try to do the basic filtering (i.e. antispoof, private networks, blocking services You'll never run for the public) on the router, and have the same rules + host specific ones on the firewall.

If You want, I can post some (not so fascinating) snippets of the cisco config.