RVS4000 Firewall ACL Question

I'm working to setup and configure an RVS4000 for a friend and wanted to verify my understanding of the firewall section. It <seems> by default the firewall allows traffic from any source to any destination, including from the WAN. I realize with NAT this isn't a huge concern / shouldn't be the case... however I tend to prefer tighter standards rather than looser.
I wanted to ensure that it allowed internally initiated traffic outbound, and external traffic inbound dropped so I created the rules as shown attached file. Am I looking at this correctly? Is the Firewall ACL section for setting up a stateful firewall or is it just pure ACL's and the last rule from the WAN is required for returning traffic back in which has already been through the NAT engine?
If someone could please help me clear this one little detail up I would be greatly appreciative.
Thanks in advance.

The ACL is just that ACLs. The rules you made are fine, the difference with your set up and the default is that you are explicitly denying the traffic; which is not a bed idea. On that note, that does not mean that the traffic was explicitly allowed before (default config).
Before any rules are created a "deny any any" is already in place but not displayed. This is typical of the small business and consumer routers. The only thing I would change is instead of suplying the subnet, just set it to "any".
Hope this helps.

Similar Messages

RVS4000 IP ACL Rules

I have read through the manual. My question is what is the proper format to input into the ACL rule "Range"? Would as an example work-
192.168.0.1 - 192.169.255.254? Will the range effectively work? Or does it have to be 192.168.0.0 - 192.169.255.255? I am not a guru and couldn't find out the answer readily elsewhere. Any feedback would be appreciated.

So you're hosting your own exchange server or e-mail behind the RVS4000? ACL's are generally a risky thing when trying to block spammers. Normally spammers use a spoofed public ip address (relayed). I seen where it looked like the e-mail was sent from the same domain as the user receiving it. Again you really need a device or service that is strictly set for monitoring spam for your e-mail servers. I work with the Cisco Spam and Virus Blocker so I do know a lot about e-mail.
You can set up ACL’s but be prepared to consistently change or alter them every 24 hours. I had this one customer getting 90,000 a day. I setup ACL’s temporary until we could find out why he was getting through our Spam and Virus Blocker, less than 16 hours this guy was already sending back to my guy’s domain, I was amazed. Basically my customer had opened his blocker up to accept/relay e-mails all domain.
Since on your ACL’s inbound you have a deny all but since you’re hosting e-mail server you’ll need to write ACL’s based on port 25 source and destinations. Source will be domain/public ip address you trying to block and destination will be your e-mail server. Once you make your deny statements you’ll need to make a allow all statement for the rest of your e-mail traffic on port 25
Hope this helps,
Jasbryan

CCNA - ACL question

Hi,
I'm studying for the CCNA 640-801 exam and in some study materials there is the following ACL question and I don't understand why the answer is what it is. I was hoping someone in here could help with explaining why. Thanks.
Router1-s0--------s0-Router2-s0--------s0-Router3
___|________________|_______________|____
PCA through PCF all seem to be connected to a common backbone. All three routers appear to also be connected to the same backbone as the PCs. Router1 conects to Router2 which connects to Router3.
PCA - 5.1.1.8/24
PCB - 5.1.1.10/24
PCC - 5.1.2.10/24
PCD - 5.1.2.20/24
PCE - 5.1.3.8/24
PCF - 5.1.3.10/24
You're the systems administrator at Cisco, and you create the following access control lists.
access-list 101 deny tcp 5.1.1.10 0.0.0.0 5.1.3.0 0.0.0.255 eq telnet
access-list 101 permit any any
You then enter the command "ip access-group 101 in" to apply access control list
101 to router1's e0 interface.
Which of the following Telnet sessions will be blocked as a result of your access
lists? (Select all that apply)
A. Telnet sessions from host A to host 5.1.1.10
B. Telnet sessions from host A to host 5.1.3.10
C. Telnet sessions from host B to host 5.1.2.10
D. Telnet sessions from host B to host 5.1.3.8
E. Telnet sessions from host C to host 5.1.3.10
F. Telnet sessions from host F to host 5.1.1.10
Answer D & F
I understand answer D, that is straight forward and easy to understand however I don't understand answer F. The ACL statement, 'access-list 101 deny tcp 5.1.1.10 0.0.0.0' specifically has the source host listed which is not PCF. I would think only addresses matching the source address in the ACL should be blocked. Thanks to anyone who can help.

Riley
I have an issue with their solution and an issue with your solution.
I think that the major flaw in their solution is putting the access-group on the serial interface as an inbound filter. As an inbound filter on the serial 192.168.1.1 or 192.168.118.0 would be the source address and their access list has it as the destination. Putting the access list as inbound on Ethernet 0 is effective. Putting it also on serial 1 adds no effectiveness. I am not clear whether they were again trying to point out the possibility of preventing telnet by denying the response traffic. But you can not do both in one access list which is limited to 3 statements.
Another (small) issue with their access list is in the second line:
access-list 101 deny tcp any 192.168.118.0 0.0.0.0 eq 23
The mask is for a specific host but 192.168.118.0 is not a host. It is the network/subnet address and no legitimate traffic will ever have that as a source address.
The main issue in your access list is the placement of "eq 23". You have it coming before the source address and the "eq port" comes after an address specification (after either the source or after the destination) and not before both of the addresses. Also if your access list is inbound on interface Ethernet 0 then telnet traffic to router 1 will have port 23 (telnet) as the destination port.
There is an apparent difference between your list and their list but it does not matter. You specify 192.168.134.0/24 as the source address and they specify any as the source address. Since the network explanation indicates that 192.168.134.0 is the only network behind E 0 the effect of the access lists does not change between the two source address specifications.
I agree with Kevin that there does not appear to be a lot of effective proof reading of this material. I have taught Cisco classes and I have written training material and I appreciate that this is difficult to do. But it is highly unfortunate and lowers the credibility of the material (and their source) when these kinds of mistakes are apparent.
HTH
Rick

ACLS QUESTION - 2 LAN SEGMENTS - ISSUE

ACLS QUESTION - 2 LAN SEGMENTS - ISSUE
I have a scenario where 2 LAN segments are separated by a router, Admin and Students. There is a DNS server and an EMAIL server on the admin segment. Students should be able to access DNS and EMAIL services (smtp, pop3 and dns). No access to any other traffic. Admin should have full access to the student LAN segment. I managed to implement all the filtering with extended ACLS placed on the router as follows:
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq www
access-list 105 permit udp any host 10.20.0.2 eq 53
access-list 105 deny ip any any
int e1/1
ip access-group 105 in
But for some reason it does not allow any access from the admin segment to the students segment.
EMAIL AND DNS ARE WORKING FINE FROM THE STUDENTS SEGMENT AND PINGS FAIL AS EXPECTED AFTER THE COMMANDS MENTIONED WERE ISSUED.
ADMIN SHOULD BE ABLE TO PING STUDENTS SEGMENTS
AFTER ATTEMPTING MANY TIMES AND DIFFERENT CONFIG I TRIED THE FOLLOWING:
access-list 106 permit ip any any
int e1/0
ip access-group 106 in
I also tried
int e1/1
ip access-group 106 in
BUT ADMIN STILL HAS NO ACCESS TO THE STUDENTS SEGMENTS!!!!!!
WHY NOT?
FEW FELLOWS TRIED IT OUT AS WELL IN PACKET TRACER WITH NO SUCCESSFUL RESULTS...
:S
I WOULD REALLY APPRECIATE SOME HELP ASAP!
THANK YOU IN ADVANCE,
MIGUEL
Posted by WebUser Miguel Pcn

Hi Miguel ,
You issue is the returning packet for the session initiated by the Admin - caused by deny ip any any on access-list 105
For the "ping" from admin to student to work add :
access-list 105 permit any any echo-reply
What kind of access is need it from Admin to Student ?
Dan

Firewall ACL rules not recognized - WRVS4400N

I have a WRVS4400N. I purchased this because my several previous routers weren't doing what they were advertised to do, and I need something reliable. Unfortunately I just discovered that this router doesn't appear to be reliable either.
I have a Firewall | IP Based ACL set of rules defined:
     1 - enable outbound traffic from 192.168.1.101-192.168.1.109
     2 - enable inbound traffic to 192.168.1.101-192.168.1.109
     3 - deny all traffic
My expectation is that only systems in the specified rule 1 & 2 range will have internet access. Unfortunately even though these rules were all enabled, one of my daughters was able to get internet access using a machine with an IP address of 192.168.1.135. This is a very, very, serious flaw.
When I remoted into the router, and kicked it by editing rule 1, the access to 192.168.1.135 was stopped (as it should always have been).
It suggests to me that the rules will be followed by the WRVS4400N in an unreliable fashion.
This really makes me angry!!!
I want a solution that I can count on!!!
Sincerely,
Jay
(Mod note: Edited for guideline compliance.)
Message Edited by giantherockstar on 10-17-2008 02:45 PM

mach2 wrote:
Are you using the latest firmware(1.01.03)? If yes try reflashing the firmware it could be corrupted that is why it is not working properly. Then do a hard reset so that it will return to factory default then reconfigure the device and observe the connection.
That's actually not the latest firmware, it's just the only one linksys ever released without needing to go through support. There was a .06 and a .08 firmware, probably others. Even the .08 one is unstable, but at least it fixes the ability to FTP or have wireless DHCP work when no wired clients are connected to the router.
(Mod note: Edited for guideline compliance.)
Message Edited by kent07 on 11-01-2008 10:34 AM

ACL Question in Weblogic

Hi,
From the Weblogic document, it mentioned that the ACL only work on file Realms.
Can it apply to directory like http://www.bea.com/*.
Here is what I need to do:
For http://www.bea.com:7001 is free to access,
for http://www.bea.com:7001/administrator or http://www.bea.com:7001/test can
only be access from certain IP arrange or VPN.
Can it be done by Weblogic? or I need to build my own http proxy?
Furthermore, I saw that Weblogic also support UNIX Security Realm, does I means
that I can allow only defined UNIX user to access certain directory ot files?
btw, I am using Weblogic 6.1.
Thanks a lot!!

Hi Jon,
Your issue should be raised with BEA support. With regard to your second isssue:
"and this be included in the documentation outlining the
responsibilities for implementing a custom realm."
You should raise this as an enhancement either via the support channels or via
[email protected]
Kind Regards,
Richard Wallace.
Senior Developer Relations Engineer.
BEA Support.
"Jon Wilmoth" <[email protected]> wrote:
I've implemented a custom realm on wl6.1 sp1 which extends the LDAPv2
realm
(implementing the ManageableRealm interface) for users and groups and
delegates to a rdbms delegate for aclentry management. I read an earlier
post about revoking a permission which requires a custom realm to augment
the weblogic.security.acl.AclImpl class. My question is similar in nature.
In a situation where a positive AclEntry needs to be changed to a negative
entry, what are the requirements imposed on the custom realm implementer?
Do I need to worry about the checkPermission call on the Acl implementation?
On the AclEntry implementation? Is there a BEA recommended path similar
to
that for revoking permissions?
I would also recommend that the BEA responses to the revoking permissions
post and this be included in the documentation outlining the
responsibilities for implementing a custom realm.
Thanks!
Jon
Jon Wilmoth
Software Architect
eSage Group
(206) 264-5675 (Voice & Fax)
[email protected]
http://www.esagegroup.com

Extranet/Firewall implementation question

All,
Were running EP6 SP11 on a single server scenario. Weve implemented iviews that access backend CRM and BW systems. All connections are HTTP (verses SSL). Ive been asked to make the Portal system available outside the firewall where the sales team can access sales functionality w/o VPN authentication. Ive read about reverse proxy and SSL scenarios which make sense however I have a couple of questions.
It seems like the reverse proxy scenario would be a good choice. I understand how access to the portal would work however not sure what happens when the iviews which accesses backend systems are launched.
I would like to get others input.
Thanks,
Greg

Hi Greg,
We have an external portal that is frontended by an Apache Reverse Proxy. In the Apache Configuration file there is a section for reverse proxy statements.
So basically we have it setup so that when users request portal.sap.com/irj it is reverse proxyed to the portal server. For Iviews that access backend sysems we setup the same thing.
For example we have an iview that connects to a R3 system so we have it setup so that anything that comes across as portal.sap.com/r3 is reverse proxyed to an ITS Server that then connects to the R3 system.
Hope that helps
Keith

My firewall is questioning Plugin Container for Firefox, requesting access to the net. Is this legit?

using ZoneAlarm. It is questioning plugin-container.exe, ver.1.9.2.4, created 6/22/2010.
== This happened ==
Every time Firefox opened
== after updating to 3.6.4

The plugin-container.exe is a helper to separate out the plugin memory usage and crashes into a separate process from taking down firefox. If you read the release notes you'd know that.
Since plugin's need to access the internet, they need to get through the firewall. Its right, let it through.

Vlan/ACL question

I am in the process of getting my guest access set up on my network and I have a couple of questions.
1) On my L3 switch I currently have the switch port with the command line of switchport access vlan 2 for my current wireless network. I am looking to add vlan 3 for the guest wireless access. Should I add/change that line to switchport trunk allow vlan 2,3 for each port I have my APs plugged into?
2) I am having issues with my ACLs. All I want my guest vlan to do is go to the internet, nothing more. Is it better to place this ACL on the WCL, L3 switch or ASA? When I try it on the WLC, even when I deny ICMP both ways, I am still able to ping and I do have the ACL applied to the interface.
Thanks,
Jim

If your ap are in local mode you won't Ned ti change the port as the traffic is ingress/egress at the WLC. So long as VLAN 3 is allowed there it will be fine.
As for the ACL, I'd put it on the Layer 3 interface of the switch/router.
Steve
Sent from Cisco Technical Support iPhone App

Airport Extreme: Native Firewall/Encryption question

The Airport Exteme offers a built-in firewall and supports industry-standard encryption technologies including WPA/WPA2 and 128-bit WEP. I plan to install a NAS device onto my home network (hard wired to my AE) for the purposes of RAID 0, mirrored backups of the multiple computers on my personal network.
Question: Given the native fireway/encryption built into the AE, would I still need to encrypt my backups to my NAS? Can I consider this technology 'safe' enough from any outside hacker? Please advise.
Thanks!

Question: Given the native fireway/encryption built into the AE, would I still need to encrypt my backups to my NAS? Can I consider this technology 'safe' enough from any outside hacker?
As far as unwanted access over wireless, the AirPort offers similar levels of protection as most consumer or commercial routers. Using WPA2 with a strong encryption key and changing that key every 60-90 days would be the best that you can expect for current technology.
As far as access via the AirPort's WAN port that is somewhat a different matter. The Apple routers offer only a basic NAT-type firewall. Effective, but not the most secure method that can be had today. If you are concerned about potential unwanted access from the Internet, you may want to consider routers that offer multiple firewall options, like stateful packet inspection, or provides additional "layers of protection," like an Intrusion Protection System. Note; however, implementing most of these additional methods can significantly reduce the WAN-to-LAN throughput as each packet of data is inspected multiple times before it can pass through.

Firewall log question

First, sorry if this is the wrong forum.
Lately I've been learning about potential security issues out there and so checked my Mac firewall setup (it was on, all ports closed, only network time enabled, stealth mode). I am running an 800MHz iMac with an original Airport base station.
I also looked at the console log and the ipfw log and found messages which I could not decipher If anyone can easily translate or tell me how to do so, I would appreciate the help; and separately, two questions: what is the consensus view on the value added in products like DoorStop or other supplements to the built-in firewall? Just what is the risk in not having such a product?
Here are the messages from the logs:
console: SecKeychainFindGenericPassword err= -25308 ( =#########, secErrStr=User interaction is not allowed. )
ipfw: several messages stating "Stealth Mode connection attempt to TCP [my iMac's IP address on the Airport network] from" 208.184.224.155, from 66.102.1.147 (Google, looks like) and other IP addresses; also, before I turned on Stealth, "12190 Deny TCP" (from IP addresses that appear to be on my Airport network).
Thanks a lot.

just the firewall do its job nothing to worry about
If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
Joe

Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

Iplanet web server 6.0 ACL question

Hi,
I am using ACLs to protect some of my URLs in iplanet web server 6.0.
I am getting one problem. Its not a problem actually but would like to know how to avoid authenticating the users 2 times.
In my ACL file, when ever I create an entry for a path, I am getting the following by default.
authenticate (user,group) {
database = "default";
method = "basic";
My entry is like this with the above lines.
acl "path=/www/develop/itsecurity/admin";
authenticate (user,group) {
database = "default";
method = "basic";
allow absolute (all)
(user = "modadmin");
allow absolute (all)
(user = "itsecadm");
deny (all)
(user = "anyone");
Now if the entry is like this with
authenticate (user,group) {
database = "default";
method = "basic";
after the first line, then whenever that particulaar user "itsecadm" tries to access the URL, he gets userid and password dialogue box. After entring into the page, if he tries to access or click any other link, it is asking the userid and password again.If he gives this second time, next time onwards it is not asking userid and password.
But When I remove the lines
authenticate (user,group) {
database = "default";
method = "basic";
from the file for that particular entry, it is not asking 2nd time userid/password.
Could you please tel me why this happening. Why this entry is created whenever I am adding a new one into ACL file?
Is any one facing the similar problem with iplanet web server 6.0 ACL files?
Thanks & Regards
Murthy

Hi,
Thank you for your suggestion. I have tried with your option also. Still I am getting the second time userid/password dialogue box.
Is there any other solution to avoid the second time user authentication dialogue box?
Do you want to see the ACL file?
Thanks & Regards,
Murthy

Macbook Firewall Settings Question

Hello,
Under my settings for security on My Macbook Pro, it says that the firewall is turned off. What are the advantages of turning it on and do you suggest doing so? Thanks in advance for any help or suggestions.

If you are behind a secure network, your own router then you do not need to turn it on.
If you are out in the wild and not on a secure network then yes, turn it on.

Quick ACL question

How do I give the group Treasurers access to a folder 3 levels deep without giving them access to the parent folders? I have given Treasurers Full Control of the folder Reports (saved and propagated) and it shows such in the ACL list, but the Inspector shows no access for them. Do I have to give them some level of access to the parents folders in order to see the lower-level folder?
Thanks,
Wayne

Yes. Or relocate the folder to a higher-level location elsewhere. Or its own share, AFP or WebDAV or whatever. It's also possible to provide a path to the directory via a link, but that might not be the most obvious nor maintainable approach over the long-term.

RVS4000 Firewall ACL Question

Similar Messages

Maybe you are looking for