Cisco IOS ACL: Don't permit incoming connections just because they are from port 80
Posted
by
cjavapro
on Server Fault
See other posts from Server Fault
or by cjavapro
Published on 2010-12-29T17:42:13Z
Indexed on
2010/12/29
17:56 UTC
Read the original article
Hit count: 256
I am going much based on my memory and I may not be correct on all of this.
On a Cisco 851 (IOS) that uses a BVI or a bridge-route (the servers on the inside are configured with static and public IP addresses). I would apply two access lists (both end with deny ip any any log
) on FastEthernet4 (the WAN port). There would be one for FA4 in and another for FA4 out.
FA4 out would have a line like
access-list 110 permit 98.76.54.0 0.0.0.255 gt 1023 any eq http
I think this means from 98.76.54.* with a from port of at least 1024 can connect to any other machine with a destination port 80.
So, then I have to allow the response to the HTTP connection.
FA4 in would have a line like
access-list 120 permit any eq http 98.76.54.0 0.0.0.255 gt 1023
Now the problem with that is that anybody on the outside can set their from port to port 80 and then connect to any inside port that is at least 1024.
How do we prevent this and require the incoming data to be a response to the outgoing data.
© Server Fault or respective owner