APNIC Home APNIC Home
Info & FAQ |  Resource services |  Training |  Meetings |  Membership |  Documents |  Whois & Search |  Internet community

You're here:  Home  Mailing Lists pacnog 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pacnog] access-lists

Hi Jon,

You've committed the great sin of blocking all ICMP (assuming this is
the complete access-list). Not that this is the cause of the problem
here, but please don't indescriminantly filter ICMP, it will break your
network: http://www.cymru.com/Documents/icmp-messages.html.

I'm presuming that acl 102 below is the inbound acl on the border
router. What is address www.xxx.yyy.2? Is it the link to the
neighbouring router where the outbound trace is going to? Or some other
address on the router? This is important - you might be filtering the
return packets - the outgoing trace packets leave with the IP address of
the outbound interface as the source, so you should make sure that you
allow the replies to that address back in again.

BTW, you have logging enabled in the first version of the ACL. Check the
logs to see what is being blocked when you traceroute out; that will
give you a pretty good idea what you are inadvertently blocking.

philip
--

Jon Leeman said the following on 19/05/2005 11:54:
> Group,
> 
> I have the following access-list in place at the border router;
> 
> access-list 102 permit ip any host www.xxx.yyy.1
> access-list 102 permit ip any host www.xxx.yyy.2  !router
> access-list 102 deny tcp any host www.xxx.yyy.66 eq 25
> access-list 102 permit ip any host www.xxx.yyy.66
> access-list 102 permit ip any host www.xxx.yyy.70
> access-list 102 permit ip any host www.xxx.yyy.71
> access-list 102 permit ip any www.xxx.zzz.0 0.0.0.63
> access-list 102 deny tcp any any eq 135
> access-list 102 deny tcp any any eq 139
> access-list 102 deny tcp any any eq 161
> access-list 102 deny tcp any any eq 162
> access-list 102 deny tcp any any eq 445
> access-list 102 deny tcp any any eq telnet
> access-list 102 deny tcp any any eq 1025
> access-list 102 deny tcp any any eq 1434
> access-list 102 deny tcp any any eq 1433
> access-list 102 deny tcp any any eq 2745
> access-list 102 deny udp any any eq 1433
> access-list 102 deny udp any any eq 1434
> access-list 102 deny ip any any log
> 
> and I am unable to traceroute to any external host - from the router
> [www.xxx.yyy.2  !router]
> 
> When I change the list to;
> 
> access-list 102 deny tcp any host 203.98.224.66 eq 25
> access-list 102 deny tcp any any eq 135
> access-list 102 deny tcp any any eq 139
> access-list 102 deny tcp any any eq 161
> access-list 102 deny tcp any any eq 162
> access-list 102 deny tcp any any eq 445
> access-list 102 deny tcp any any eq telnet
> access-list 102 deny tcp any any eq 1025
> access-list 102 deny tcp any any eq 1434
> access-list 102 deny tcp any any eq 1433
> access-list 102 deny tcp any any eq 2745
> access-list 102 deny udp any any eq 1433
> access-list 102 deny udp any any eq 1434
> access-list 102 permit ip any any
> 
> I am able to traceroute.
> 
> I'd appreciate any pointers as to where I'm going wrong in the first
> access-list.
> 
> Thanks,
> 
> Jon
> 
> 
> _______________________________________________
> pacnog mailing list
> pacnog@pacnog.org
> http://mailman.apnic.net/mailman/listinfo/pacnog
> 
>