FireWall Feature Set 12.3(9)

robertmcclain · ‎07-16-2004

Just wondering if anyone is using this? I have installed this onto a 3662 router. In the lab it works well against attacks, such as syn-floods etc. These attacks come from the outside, while I present nothing to the outside and are stopped.(Ex. a webserver is not present for the world to see.) But a simple "ack" attack gets thru. These types of attacks are going thru to the host on any well known port. It happens in any scenario that I use. If I present a webserver to the world, it comes in on port 80 etc. It leads me to believe that this "firewall" feature set, although touted as stateful, is actually only partialy stateful. Any Ideas?

nkhawaja · ‎07-16-2004

I think lot of peoples are using IOSFW. It works in accordance with ACL, You have to block ACL on the egress interface, otherwise SYN or any kind of packet will come in. I dont understand how an ACK will come in if you have the ACL applied. It could be that the inside hosts are sending this traffic which is coming back and you see ACK.

Thanks

Nadeem

robertmcclain · ‎07-16-2004

I'm not sure I understand. I have ACL's applied to the engress. Which only allow normal traffic to pass, including OSPF routing information. I also have ACL's that define the correct traffic to inspect. It stops

Syn-ack's etc, but not a simple ack packet. If you send an ack on port 23, like an ack scan it will come thru. It really doesn't matter which port you use. I am using NMap to do this. Along with TCPdump watching the traffic from the sending side. How would you define an ACL to stop this?

nkhawaja · ‎07-16-2004

ACL should stop it. can you show us the ACL being applied on teh interface

robertmcclain · ‎07-19-2004

I have used two modifications of access-list 114 on the outside interface. This is what i use to restrict access thru the router. I have also allowed "permit ip any any", just for testing specific ports. Instead of having to modify the access-list every time. But my "ack" attack is directed at a specific port. In this case "telnet".

****inspect access-list*****

access-list 100 deny ospf any any log

access-list 100 permit tcp any 10.0.0.0 0.255.255.255 log

access-list 100 permit icmp any 0.0.0.0 255.255.0.0 log

access-list 100 permit tcp any any log

access-list 100 permit ip any any log

***outbound on outside interface ***

access-list 113 permit ip any any

**inbound on outside****

access-list 114 permit ospf any any

access-list 114 deny icmp any any

access-list 114 permit tcp any 10.0.0.0 0.255.255.255 eq telnet

access-list 114 deny ip any any

Let me know what changes can be made.

Thank you

nkhawaja · ‎07-19-2004

Hi,

If you say acl 113, this will definitely allow the syn, acK , etc any thing

For ACL 114, it will allow any conenction flag on telnet port. As far as I understand. May be some else can correct me.

what is the ip inspect ACL?

Thanks

Nadeem

robertmcclain · ‎07-19-2004

The ACL 113 is for traffic from inside the network to flow out. I may not need this, but it would allow me to ping from inside the network to outside resources. The ACL114 was configured on the outside interface, looking at traffic coming into the network. The inspect ACL is for the tcp intercept "ip tcp intercept list 100".