Comware

I have an ACL configuration issue. Take a trivial ACL like this:

ip access-list extended "EDU-IN"
permit tcp any 130.236.60.40/32 eq 22

This will accept all incoming packets on port 22 to the host and implicitly deny the rest. So far so good.

The problem is outgoing traffic. The first packet in a TCP session from 130.236.60.40 to a host outside the router will pass through the router since there is no ACL there,but the returning packet will be denied by the above ACL. In other routers there is an established keyword:

access-list 114 permit tcp any any established

But I cannot found anything similar in the documentation for the ProCurve 5300XL. I must be missing something obvious...

/jens

Hi Jens,

The 5300xl does not support the established option, or one that is like that.

You will need to configure ACL's that explicitely allow return traffic. An example could be to allow all HTTP return traffic to your ip address 130.236.60.40:

permit tcp any eq 80 130.236.60.40/32 gt 1024

Or if you would like a general rule (which is quite insecure),you could use:

permit tcp any any gt 1024

In this case I would also explicitely deny ports >1024 that run services on your side, for example block RDP:

deny tcp any any eq 3389

This one needs to be in line before the permit statement offcourse.

The reason I use gt 1024, is because a client that connects to a server, allways connects from a source port above 1024. That means the destination port for the server is that same port above 1024. For example a client that connects to a web server.
Client: Source port: 1025, destination port: 80
Server: Source port: 80, destination port 1025

Hope this helped,

Kell

> The 5300xl does not support the established
> option, or one that is like that.

That explains way I couldn't find it...

It also means that the ACL implementation in the 5300XL is rather useless (for me at least). I want to block all incoming traffic except for a few selected services. Without an established option or some session management like in a real firewall this cannot be done.

Can anyone explain why the default last entry in an ACL is an implicit deny? If you don't have an established-option the implicit deny is almost always wrong. An implicit permit would make much more sense.

> The reason I use gt 1024, is because a
> client that connects to a server, allways
> connects from a source port above 1024.

Unless it is RSH or NFS which by default picks a privileged port...

> Hope this helped,
> Kell

It sure did! Now I will return the 5300XL and shop for some another product.

Does anyone have a recommendation for something that can route 1Gbit/s and do have a usable ACL implementation? OSPF and VLAN are required. A Procurve 9304 worked all right but is a bit expensive. I real firewall would be nice of course but price vs performance is a tough one.

/jens