|
Reflexive access lists
Introduction to this web pageThis page contains sample extended named lists set up to do reflexive filtering - this is the Cisco version of stateful packet filtering. Reflexive access lists can only be used on top of extended named access lists. This sample set also uses "remark" as a way of adding comments to the list. This list isn`t really complete, as it doesn`t allow any routing protocol into either interface. It also doesn`t have any information about other configuration settings of the router. It isn`t a script as such, because it also shows the relevant prompt. The list is based on the following network arrangement :-
Reflexive access listsThe essence of a reflexive access list is that when a packet is sent out from the secure subnet to the outside world, a record is made of that packet in the reflexive access list - this record is dynamic - it only lives for a short time, and is then deleted. When an incoming packet arrives at the router, its source address, destination address, port numbers, and protocol, are compared to the records in the reflexive access list, and if it is found that the incoming packet is part of a connection already set up, then the packet is allowed through the router and into the secure subnet. The reflexive access list is initially set up by a command line of the form permit protocol any any reflect name inserted into an extended named access list which examines packets leaving our secure subnet. Initially the reflexive access list is empty. There is also a line of the form evaluate name inserted into another extended named access list which is attached to an interface so that all packets coming in to the secure subnet are applied to this access list. When a packet arrives from the secure subnet heading for the outside world, and it matches the specification within the "permit ... reflect" command line, a record is made of the packet, and the packet is passed on through the access list, and out to the outside world. But this rule stops us doing any other form of filtering on this packet - once it has passed on, no other subsequent "permit" rules in the extended named access list are applied. So we can`t do any port blocking through this extended named access list, all packets with the correct protocol will be passed on by the "permit ... reflect" rule. If the "permit ... reflect" rule is before the port blocking rules, then all packets with the correct protocol will be passed on, before the port blocking rules ever get to see them. And if we put the port blocking rules before the rule containing the reflect keyword, then the outgoing packets with the allowed ports will get matched and passed on by the port rules, before the reflexive rule sees them. The only packets that the reflexive rule will see are packets which have ports which have not been permitted to pass by the port blocking rules, and so are ports which we are trying to block, and the reflexive rule will pass them. It is a pity that Cisco don`t seem to allow the same kind of layering that iptables in Linux allows - in iptables in Linux, rule sets can be bundled in layers, so that packets are passed through layers of sets of rules. Each set of rules can do a completely different kind of filtering from the next layer, so that with iptables we can have a port filtering set of rules, followed by a stateful packet filtering set of rules. But back to Cisco - there is a workaround with Cisco - we can apply two access lists to each interface - one for inbound, and one for outbound. So we can have two access lists on one interface that do port filtering or address filtering, and another two access lists on the other interface that do the reflexive packet filtering. We can do this with our network configuration, as there are only two interfaces on the router. If there are three or more interfaces on a router, then this technique may not be useable. So we are going to use the following setup :- Access list "e0-out" is used to set up the reflexive access lists, in this case, we are going to set up three reflexive access lists, one each for TCP, UDP, and ICMP. Access list "e0-in" is used to compare the incoming packets to the reflexive access-list entries. Access list "e1-in" is used to do port and spoofed ip address blocking on the packets coming from the secure subnet. Access list "e1-out" is used to do port blocking on packets coming in from the outside world. It is questionable whether there is any need for this list.
Configuring the access lists
router> enable router# config t ! router(config)# ! Remove the previous version of the access list ! router(config)# no ip access-list e0-out ! router(config)# ! Set up the new version of the access list ! router(config)# ip access-list extended e0-out ! ! router(config-ext-nacl)# remark **This list is for packets originating on the secure router(config-ext-nacl)# remark subnet, heading for the outside world.** ! router(config-ext-nacl)# remark **This list is used to set up the reflexive router(config-ext-nacl)# remark access lists.** ! router(config-ext-nacl)# permit tcp any any reflect reflex-tcp timeout 120 router(config-ext-nacl)# permit udp any any reflect reflex-udp timeout 120 router(config-ext-nacl)# permit icmp any any reflect reflex-icmp timeout 120 ! ! router(config-ext-nacl)# exit ! ! router(config)# ! Remove the previous version of the access list ! router(config)# no ip access-list e0-in ! router(config)# ! Set up the new version of the access list ! router(config)# ip access-list extended e0-in ! ! router(config-ext-nacl)# remark **This list is for packets originating in the router(config-ext-nacl)# remark outside world, and are heading for the secure router(config-ext-nacl)# remark subnet.** ! router(config-ext-nacl)# remark **This list is used to block packets with source router(config-ext-nacl)# remark addresses that should not exist on the open router(config-ext-nacl)# remark internet.** ! ! router(config-ext-nacl)# remark **This is the loopback address** ! router(config-ext-nacl)# deny ip 127.0.0.0 0.255.255.255 any ! ! router(config-ext-nacl)# remark **This is sometimes used to mean "this" host** ! router(config-ext-nacl)# deny ip 0.0.0.0 0.0.0.0 any ! ! router(config-ext-nacl)# remark **These are the IP addresses reserved by IANA** ! router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any router(config-ext-nacl)# deny ip 172.16.0.0. 0.15.255.255 any router(config-ext-nacl)# deny ip 192.0.2.0 0.0.0.255 any router(config-ext-nacl)# deny ip 192.168.0.0. 0.0.255.255 any router(config-ext-nacl)# deny ip 240.0.0.0 7.255.255.255 any router(config-ext-nacl)# deny ip 224.0.0.0 15.255.255.255 any ! router(config-ext-nacl)# remark **This is our own secure subnet address** ! router(config-ext-nacl)# deny ip 12x.34.56.0 0.0.0.255 any ! router(config-ext-nacl)# remark **This is the network address of the network backbone, router(config-ext-nacl)# remark and there are no hosts on this backbone, only routers** ! router(config-ext-nacl)# deny tcp 12x.34.0.0 0.0.0.255 any router(config-ext-nacl)# deny udp 12x.34.0.0 0.0.0.255 any ! ! router(config-ext-nacl)# remark **These entries do the comparisons with the router(config-ext-nacl)# remark reflexive access lists, and so only allow router(config-ext-nacl)# remark packets that are part of connections already router(config-ext-nacl)# remark set up.** ! router(config-ext-nacl)# evaluate reflex-tcp router(config-ext-nacl)# evaluate reflex-udp router(config-ext-nacl)# evaluate reflex-icmp ! ! router(config-ext-nacl)# exit ! ! router(config)# ! Remove the previous version of the access list ! router(config)# no ip access-list e1-in ! router(config)# ! Set up the new version of the access list ! router(config)# ip access-list extended e1-in ! ! router(config-ext-nacl)# remark **This list permits outgoing packets with router(config-ext-nacl)# remark specific port numbers, which are coming router(config-ext-nacl)# remark from the secure subnet, heading for the router(config-ext-nacl)# remark outside world.** ! ! router(config-ext-nacl)# remark **Because the source address is specified for router(config-ext-nacl)# remark every entry, packets with spoofed ip addresses router(config-ext-nacl)# remark outside the secure subnet address range will router(config-ext-nacl)# remark be blocked.** ! ! router(config-ext-nacl)# remark **Telnet** ! router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 any eq 23 ! router(config-ext-nacl)# remark **DNS** ! router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 any eq 53 ! router(config-ext-nacl)# remark **HTTP** ! router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 any eq 80 ! router(config-ext-nacl)# remark **IMAP** ! router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 any eq 143 ! router(config-ext-nacl)# remark **HTTPS** ! router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 any eq 443 ! router(config-ext-nacl)# remark **HP printers** ! router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 any eq 69 router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 any eq 161 router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 any eq 162 router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 any range 9100:9102 ! router(config-ext-nacl)# remark **HP web admin** ! router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 any eq 8000 router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 any eq 8000 router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 any eq 8443 router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 any eq 8443 ! ! router(config-ext-nacl)# remark **These two sections allow NetBIOS only to router(config-ext-nacl)# remark the two servers "Humpty" and "Dumpty" router(config-ext-nacl)# remark from any pc on the 12x.34.56.0 subnet** ! router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 137 router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 137 router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 138 router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 138 router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 139 router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.80 eq 139 ! router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 137 router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 137 router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 138 router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 138 router(config-ext-nacl)# permit udp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 139 router(config-ext-nacl)# permit tcp 12x.34.56.0 0.0.0.255 host 12x.34.50.85 eq 139 ! router(config-ext-nacl)# remark **This section permits certain types of ICMP packets** ! router(config-ext-nacl)# remark **Allow Echo request packets** ! router(config-ext-nacl)# permit icmp 12x.34.56.0 0.0.0.255 any echo ! ! router(config-ext-nacl)# exit ! ! ! router(config)# ! Remove the previous version of the access list ! router(config)# no ip access-list e1-out ! router(config)# ! Set up the new version of the access list ! router(config)# ip access-list extended e1-out ! ! router(config-ext-nacl)# remark **This list does port blocking on the packets router(config-ext-nacl)# remark coming from the outside world into the secure router(config-ext-nacl)# remark subnet. These packets have already been router(config-ext-nacl)# remark filtered by the reflexive access lists, so router(config-ext-nacl)# remark maybe this is paranoia.** ! ! router(config-ext-nacl)# remark **Telnet** ! router(config-ext-nacl)# permit tcp any eq 23 12x.34.56.0 0.0.0.255 ! router(config-ext-nacl)# remark **DNS** ! router(config-ext-nacl)# permit tcp any eq 53 12x.34.56.0 0.0.0.255 ! router(config-ext-nacl)# remark **HTTP** ! router(config-ext-nacl)# permit tcp any eq 80 12x.34.56.0 0.0.0.255 ! router(config-ext-nacl)# remark **IMAP** ! router(config-ext-nacl)# permit tcp any eq 143 12x.34.56.0 0.0.0.255 ! router(config-ext-nacl)# remark **HTTPS** ! router(config-ext-nacl)# permit tcp any eq 443 12x.34.56.0 0.0.0.255 ! router(config-ext-nacl)# remark **HP printers* ! router(config-ext-nacl)# permit udp any eq 69 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit udp any eq 161 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit udp any eq 162 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit tcp any range 9100:9102 12x.34.56.0 0.0.0.255 ! router(config-ext-nacl)# remark **HP web admin* ! router(config-ext-nacl)# permit tcp any eq 8000 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit udp any eq 8000 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit tcp any eq 8443 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit udp any eq 8443 12x.34.56.0 0.0.0.255 ! router(config-ext-nacl)# remark **These two sections allow NetBIOS only from router(config-ext-nacl)# remark the two servers "Humpty" and "Dumpty" router(config-ext-nacl)# remark to any pc on the 12x.34.56.0 subnet** ! router(config-ext-nacl)# permit udp host 12x.34.50.80 eq 137 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit tcp host 12x.34.50.80 eq 137 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit udp host 12x.34.50.80 eq 138 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit tcp host 12x.34.50.80 eq 138 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit udp host 12x.34.50.80 eq 139 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit tcp host 12x.34.50.80 eq 139 12x.34.56.0 0.0.0.255 ! router(config-ext-nacl)# permit udp host 12x.34.50.85 eq 137 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit tcp host 12x.34.50.85 eq 137 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit udp host 12x.34.50.85 eq 138 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit tcp host 12x.34.50.85 eq 138 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit udp host 12x.34.50.85 eq 139 12x.34.56.0 0.0.0.255 router(config-ext-nacl)# permit tcp host 12x.34.50.85 eq 139 12x.34.56.0 0.0.0.255 ! ! router(config-ext-nacl)# remark **This section permits certain types of ICMP packets** ! router(config-ext-nacl)# remark **Allow Echo Reply packets** ! router(config-ext-nacl)# permit icmp any 12x.34.56.0 0.0.0.255 echo-reply ! ! router(config-ext-nacl)# exit ! ! ! router(config)# ! Configure the two interfaces, and associate the router(config)# ! access lists with them ! router(config)# interface ethernet 0 ! router(config-if)# ip address 12x.34.0.35 255.255.255.0 router(config-if)# ip access-group e0-in in router(config-if)# ip access-group e0-out out router(config-if)# no shutdown ! router(config-if)# exit ! ! router(config)# interface ethernet 1 ! router(config-if)# ip address 12x.34.56.1 255.255.255.0 router(config-if)# ip access-group e1-in in router(config-if)# ip access-group e1-out out router(config-if)# no shutdown ! router(config-if)# exit ! router(config)# exit router# disable router>
© 2005 Ron Turner Return to the Cisco index page
|
|