Rules cisco 877 firewall :-)

Cisquito19 · ‎11-04-2011

Good afternoon everyone.

I have a firewall enabled cisco 877 with these rules.

Interface Dialer0 IN
    10 deny ip 0.0.0.0 0.255.255.255 any
    20 deny ip 10.0.0.0 0.255.255.255 any
    30 deny ip 127.0.0.0 0.255.255.255 any
    40 deny ip 172.16.0.0 0.15.255.255 any
    50 deny ip 192.168.0.0 0.0.255.255 any
    60 deny ip 224.0.0.0 15.255.255.255 any
    70 deny ip 240.0.0.0 15.255.255.255 any
    80 permit tcp any any eq 22 (8810 matches)
    90 permit tcp any any eq 242
    100 permit udp any any eq snmp
    110 permit icmp any any echo (6 matches)
    120 permit udp any any eq non500-isakmp (3 matches)
    130 permit udp any any eq isakmp (1 match)
    140 permit tcp any any eq www (26 matches)
    150 permit udp any eq domain any
    160 permit tcp any any established (6 matches)
    170 permit tcp any any eq smtp (2 matches)
    180 permit tcp any any eq pop3 (3 matches)
    190 permit tcp any any eq 443
    200 permit esp any any
    210 permit ahp any any

Interface Dialer Out
10 permit ip any any

Are correct?

This rule which is its function?
"permit tcp any any established"

THANKS!!!!!!!!!

cadet alain · ‎11-04-2011

Hi,

the established keyword is a weak stateful firewall implementation that was the first steful filtering done on IOS.

It looks at the flags in the TCP header and if it finds the ACK bit set then it assumes this is return traffic for traffic initiated from other side of the router and opens a hole in the ACL inbound which denies everything else.

There are more secure and advanced ways of doing stateful firewalling in IOS like CBAC or the latest ZBF.

Alain.

Don't forget to rate helpful posts.