Hello Support Forum Members,
i just create some ACL rules in cisco ACE 4710.
here are some rules,
class-map type http inspect match-any DENIED_URL
2 match url .*.exe
3 match url .*.php
4 match url .*.asp
5 match url .*.aspx
6 match url .*.cgi
7 match url .*.pl
8 match url .*.bat
9 match url .*.cfm
10 match url .*.ihtml
11 match url .*.las
12 match url .*.lasso
13 match url .*.lassoapp
14 match url .*.phtml
15 match url .*.rna
16 match url .*.r
17 match url .*.shtml
18 match url .*.stm
19 match url .*.ini
20 match url .*.dll
21 match url .*.htx
22 match url .*.htw
23 match header mime-type video\*
24 match header mime-type audio\*
25 match content ".*[bB][fF]6[eE][fF][fF][fF]3[-]4558[-]4[cC]4[cC][-][aA][dD][aA][fF][-][aA]87891[cC]5[fF]3[aA]3.*"
26 match content ".*[lL][iI][sS][tT][cC][tT][rR][lL]\x2e[lL][iI][sS][tT][cC][tT][rR][lL][cC][tT][rR][lL]\x2e1.*"
27 match url .*.ico
28 match url .*etc.*
29 match url .*wp[-].*
30 match request-method rfc trace
31 match url /images
32 match request-method rfc delete
33 match request-method rfc options
34 match request-method rfc put
35 match url /status
36 match request-method rfc head
37 match request-method rfc connect
class-map type http inspect match-any URL_TO_PERMIT
4 match request-method rfc get
5 match request-method rfc post
7 match header length request range 200 200
12 match url /stripe/.*
13 match url /stripe-string/.*
15 match url /
16 match url /foobar/agent.*
my query is, can i simplify this rule become some few of lines.?
my need is : all access to /foobar/agent, /stripe-string/, /stripe with get and post method are allowed, also with situation server response is 200 200, other will be crush.
it's possible i simplify the rule in ace.
many thanks in advanced
If you know exactly what you need to allow then you can be as specific as you can be and other than that if you need to deny everything then you can generalize. Now in your case class-map "URL_TO_PERMIT" you have match condition "/" which basically matches all other statments like /stripe/.*, /stripe-string/.*,/foobar/agent.*. Either you remove that or there is no use of other statements to put in along with "/" unless it is like test.com/ or foobar.com/ or stripe.com/ etc.
Also, you want 200 server response to be allowed but in match condition you have mentioned "request range". Please change that as well.
if i put / in denied url, it will drop anything.
or maybe you can suggest me another way?
btw tahnkyou for your response
/ will match anything after / in url i.e the path. For example, / will match test.com/test as well as test.com/notest. But it will not match test.com and abc.com. If you want a wildcard to block everything then something like .* can be used.But this will match everything.