- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Procurve 5300XL ACL confusion
Switches, Hubs, and Modems
1753479
Members
5206
Online
108794
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-13-2006 04:00 AM
тАО01-13-2006 04:00 AM
I have an ACL configuration issue. Take a trivial ACL like this:
ip access-list extended "EDU-IN"
permit tcp any 130.236.60.40/32 eq 22
This will accept all incoming packets on port 22 to the host and implicitly deny the rest. So far so good.
The problem is outgoing traffic. The first packet in a TCP session from 130.236.60.40 to a host outside the router will pass through the router since there is no ACL there,but the returning packet will be denied by the above ACL. In other routers there is an established keyword:
access-list 114 permit tcp any any established
But I cannot found anything similar in the documentation for the ProCurve 5300XL. I must be missing something obvious...
/jens
ip access-list extended "EDU-IN"
permit tcp any 130.236.60.40/32 eq 22
This will accept all incoming packets on port 22 to the host and implicitly deny the rest. So far so good.
The problem is outgoing traffic. The first packet in a TCP session from 130.236.60.40 to a host outside the router will pass through the router since there is no ACL there,but the returning packet will be denied by the above ACL. In other routers there is an established keyword:
access-list 114 permit tcp any any established
But I cannot found anything similar in the documentation for the ProCurve 5300XL. I must be missing something obvious...
/jens
Solved! Go to Solution.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-13-2006 07:03 AM
тАО01-13-2006 07:03 AM
Solution
Hi Jens,
The 5300xl does not support the established option, or one that is like that.
You will need to configure ACL's that explicitely allow return traffic. An example could be to allow all HTTP return traffic to your ip address 130.236.60.40:
permit tcp any eq 80 130.236.60.40/32 gt 1024
Or if you would like a general rule (which is quite insecure),you could use:
permit tcp any any gt 1024
In this case I would also explicitely deny ports >1024 that run services on your side, for example block RDP:
deny tcp any any eq 3389
This one needs to be in line before the permit statement offcourse.
The reason I use gt 1024, is because a client that connects to a server, allways connects from a source port above 1024. That means the destination port for the server is that same port above 1024. For example a client that connects to a web server.
Client: Source port: 1025, destination port: 80
Server: Source port: 80, destination port 1025
Hope this helped,
Kell
The 5300xl does not support the established option, or one that is like that.
You will need to configure ACL's that explicitely allow return traffic. An example could be to allow all HTTP return traffic to your ip address 130.236.60.40:
permit tcp any eq 80 130.236.60.40/32 gt 1024
Or if you would like a general rule (which is quite insecure),you could use:
permit tcp any any gt 1024
In this case I would also explicitely deny ports >1024 that run services on your side, for example block RDP:
deny tcp any any eq 3389
This one needs to be in line before the permit statement offcourse.
The reason I use gt 1024, is because a client that connects to a server, allways connects from a source port above 1024. That means the destination port for the server is that same port above 1024. For example a client that connects to a web server.
Client: Source port: 1025, destination port: 80
Server: Source port: 80, destination port 1025
Hope this helped,
Kell
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-15-2006 08:32 PM
тАО01-15-2006 08:32 PM
Re: Procurve 5300XL ACL confusion
> The 5300xl does not support the established
> option, or one that is like that.
That explains way I couldn't find it...
It also means that the ACL implementation in the 5300XL is rather useless (for me at least). I want to block all incoming traffic except for a few selected services. Without an established option or some session management like in a real firewall this cannot be done.
Can anyone explain why the default last entry in an ACL is an implicit deny? If you don't have an established-option the implicit deny is almost always wrong. An implicit permit would make much more sense.
> The reason I use gt 1024, is because a
> client that connects to a server, allways
> connects from a source port above 1024.
Unless it is RSH or NFS which by default picks a privileged port...
> Hope this helped,
> Kell
It sure did! Now I will return the 5300XL and shop for some another product.
Does anyone have a recommendation for something that can route 1Gbit/s and do have a usable ACL implementation? OSPF and VLAN are required. A Procurve 9304 worked all right but is a bit expensive. I real firewall would be nice of course but price vs performance is a tough one.
/jens
> option, or one that is like that.
That explains way I couldn't find it...
It also means that the ACL implementation in the 5300XL is rather useless (for me at least). I want to block all incoming traffic except for a few selected services. Without an established option or some session management like in a real firewall this cannot be done.
Can anyone explain why the default last entry in an ACL is an implicit deny? If you don't have an established-option the implicit deny is almost always wrong. An implicit permit would make much more sense.
> The reason I use gt 1024, is because a
> client that connects to a server, allways
> connects from a source port above 1024.
Unless it is RSH or NFS which by default picks a privileged port...
> Hope this helped,
> Kell
It sure did! Now I will return the 5300XL and shop for some another product.
Does anyone have a recommendation for something that can route 1Gbit/s and do have a usable ACL implementation? OSPF and VLAN are required. A Procurve 9304 worked all right but is a bit expensive. I real firewall would be nice of course but price vs performance is a tough one.
/jens
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP