Access lists -- in vs. out
Chris Thomas
and "out" in applying an access list to an interface? Even the good
books seem to only devote a sentence to the difference between them.
Assuming that a router interface is hooked to an ethernet segment, does
"in" apply to packets on the interface which are entering the router, or
to packets from other networks which are entering (being routed to) the
interface.
There would seem to be at least three cases: packets generated on the
subnet being heard by the router, packets from other networks being
routed to the subnet, and internally generated traffic in the router (eg,
ping) which doesn't seem to go through either the in or out filters.
TIA,
/Chris Thomas, UCLA
Chris Thomas
cth...@mminternet.edu says...
Sorry bad address above. It's cth...@mminternet.com, not edu.
Rod Dorman
Chris Thomas <cth...@mminternet.edu> wrote:
>Can anyone point me to a good description of the difference between "in"
>and "out" in applying an access list to an interface? Even the good
>books seem to only devote a sentence to the difference between them.
Hansang, here's another FAQ candidate :-)
The simplest explanition I've seen is: Crawl into your router and look
towards the interface. If the packets are going away from you they're
outbound. If they're hitting you in the forehead their inbound.
--
-- Rod --
ro...@polylogics.NOSPAM.com
Joseph Finley
"Rod Dorman" <ro...@panix.com> wrote in message
news:9icub7$m27$1...@news.panix.com...
Barry Margolin
Joseph Finley <j_fi...@prcontrol.com> wrote:
>I really don't think you can get any simpler than that.....
I like to describe the router as a house, the interfaces as doors, and the
ACLs are processed by the doorman at that door. If a packet is going into
the house, the "in" ACL is used, and if the packet is leaving the house,
the "out" ACL is used.
--
Barry Margolin, bar...@genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
Chris Thomas
> In article <j1o27.12195$dd1.3...@typhoon.neo.rr.com>,
> Joseph Finley <j_fi...@prcontrol.com> wrote:
> >I really don't think you can get any simpler than that.....
>
> I like to describe the router as a house, the interfaces as doors, and the
> ACLs are processed by the doorman at that door. If a packet is going into
> the house, the "in" ACL is used, and if the packet is leaving the house,
> the "out" ACL is used.
I'll buy this, but with a couple of additions:
1. There are multiple doors, each with its own doorman. A packet going
from the back yard to the front yard can be filtered equally in two
places, by the back doorman (in) or the front doorman (out).
2. Some packets are made in the kitchen -- some routing updates, outgoing
telnet/ping, and some ARPs, etc. The cook takes these packets out the
appropriate doors, bypassing the doorman, so they can't be filtered.
It can be explained in one sentence, but that sentence seems to me to
omit important stuff. BTW, the new O'Reilly book "Cisco IOS Access
Lists" gives about the best printed explanation I've seen (eg, p.69).
/Chris Thomas
Stephen Manuel
ACL's are sometimes difficult to get a handle on but the In/Out
difference has to do with how you filter traffic...
If you use IN on the interface the traffic incoming will be filtered,
the outbound traffic will not...
If you use OUT on the interface the reverse is true...
Think about this, if you are connected to the Internet via some kind
of Serial Link, how would you keep users located somewhere else on the
Internet out of you internal network...
You would create an ACL and apply it on the Serial Interface with IN..
For instance, you would deny Telnet by doing following...
access-list 150 deny tcp any any eq telnet
access-list 150 permit ip any any
On the serial interface
You would do the following...
interface serial 0/0
ip access-group 150 IN...
This effect of this would be to block incoming telnet traffic and pass
everything else...
The thing to remember is if you begin your ACL with a series of
permits there is always an implicit deny at the end....IOW's a deny
any any...
Hope this helps
Stephen
ro...@panix.com (Rod Dorman) wrote in message news:<9icub7$m27$1...@news.panix.com>...
Barry Margolin
Stephen Manuel <srma...@bellsouth.net> wrote:
>Chris,
>
>ACL's are sometimes difficult to get a handle on but the In/Out
>difference has to do with how you filter traffic...
>
>If you use IN on the interface the traffic incoming will be filtered,
>the outbound traffic will not...
>
>If you use OUT on the interface the reverse is true...
This simple description is often what confuses people. They think of
"inbound" and "outbound" relative to their LAN, not the router. If you put
the ACL on the Ethernet interface, you have to use an "out" ACL to process
inbound traffic, and newbies often get this wrong.
Hansang Bae
[in vs out on an ACL]
> The simplest explanition I've seen is: Crawl into your router and look
> towards the interface. If the packets are going away from you they're
> outbound. If they're hitting you in the forehead their inbound.
Hmmm, --> insert obligatory Tron imagery here <-- <G>
--
hsb
"Somehow I imagined this experience would be more rewarding" Calvin
********************************************************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************
Richard Smart
new to IOS. Had some good pointers from people at this site and got
the router working on an ADSL connection.
problem i know have is that when i run a security scan from a firewall
seller's website, it comes back with a lot of ports as closed (they
state it is better that these ports are blocked) and a couple of ports
open - such as 23, 80 and icmp.
What i want to do is deny all to outside for the time being - i have
no real need to host a website or such at the moment.
when u talked about access list 150 above, is there any reasoning
behind the numbered list you use? or do u just make sure you define
the list number against the dsl port (i.e u can use any list number
you like)
i also want some way of logging any attempts to hack my router - what
best suggestion?
feel free to call me lazy and tell me to read a book!!! Thanks in
advance
Stephen Manuel
Yes there is some reasoning to the numbering...
Cisco has many different types of ACL's...They are segmented by the
number you use to define them...
For instance, the most commonly used ACL number ranges are 1-99 and
100-199.
ACL's that start with 1-99 can only filter traffic based in IP address
of the source....IOW's you can filter a single PC or a whole subnet of
IP address but only from the source of the packet....
ACL's that start with 100-199 are what's called extended ACL's they
allow you to filter on the source and destination of traffic, plus you
can get very specific on the port numbers and protocols you want to
filter....
If you are going use ACL's to filter internet traffic based on the
type of service that's coming in, ie. http which is port 80, or ftp
which is port 20/21 then you must use extended ACL's...
At first extended ACL's can appear to be very complex but once you get
the hang of the command flow sequence and wild card masks, they are a
very flexible and handy way to filter traffic...but be careful, you
can easily lock yourself out of the router if you attempt to implement
extended ACL's remotely...
Believe me I know first hand...
The best source I found on ACL's is a book from McGraw-Hill, entitled
Cisco Access Lists, A Field Guide, you can usually find the book in
one of the major book stores, like Borders, Barnes and Noble,
etc....it's a paper back and I used it extensively when I was at the
Cisco TAC...
Enjoy
Stephen Manuel
David Haggett
"Richard Smart" <rsm...@rsit.net> wrote in message
news:c2039964.01071...@posting.google.com...
> problem i know have is that when i run a security scan from a
firewall
> seller's website, it comes back with a lot of ports as closed
(they
> state it is better that these ports are blocked) and a couple
of ports
> open - such as 23, 80 and icmp.
Port 23 allows someone to telnet to devices on your network, and
Port 80 is a web server. Both could refer to services available
on your router. Both will be "disabled" by the access-list and
unless you have a specific requirement to allow these services
this should be your goal.
ICMP can be used to discover things about your network, but is
also a useful tool in troubleshooting connectivity problems.
> What i want to do is deny all to outside for the time being - i
have
> no real need to host a website or such at the moment.
Apply the following list inbound on your outward (internet)
facing interface
access-list 150 permit tcp any any established
! allows return data from http, ftp requests etc.
!
access-list 150 permit TCP host a.b.c.d host e.f.g.h eq smtp
! allows incoming mail connections from mail-server a.b.c.d
! to mail-server e.f.g.h (if smtp delivery is required)
!
access-list 150 permit udp host i.j.k.l gt 1023 any eq domain
! allows UDP DNS responses from DNS server i.j.k.l to
! any host.
!
access-list 150 deny any any log
! in place of the "implicit deny" and logs all denied
! packets to either an internal buffer or to a syslog
! server
> when u talked about access list 150 above, is there any
reasoning
Access list numbers 100 to 199 designate an extended IP access
list, filtering on layer 4 protocol, source and destination IP
address and application ports.
> feel free to call me lazy and tell me to read a book!!! Thanks
in
> advance
You're Lazy, go read a book :)
--
David W. Haggett
CCNA, Cisco Academy Graduate
TCS Project work at http://www.haggett.demon.co.uk/cnap/