Unsolved
This post is more than 5 years old
21 Posts
0
25782
March 13th, 2008 07:00
Basic ACL help - PowerConnect 6224
Interfaces:
g1 = Internet
g3, g4 = Server (LAG 1)
g1 has no ACL bound
I'm trying to bind ACL(s) to LAG 1 which will allow specific traffic Internet->Server, and all (later, restrict) traffic from Server->Internet
(since it's bound to the LAG, as opposed to g1, ACL is applied to direction "out")
(to simplify things I'm using src/dest any/any - but will later limit to the Server's IPs)
My rules:
access-list webau permit tcp any any eq 22
access-list webau permit tcp any any eq http
access-list webau permit tcp any any eq 443
access-list webau permit tcp any any eq 3389
access-list webau permit tcp any any eq 1935
Binding the ACL:
interface port-channel 1
ip access-group webau out
This successfully permits only traffic from the Internet->Server on TCP port numbers specified - so far so good.
However, the Server can't get out to the Internet at all.
(e.g. ping, telnet google.com 80)
I would have thought with no ACL in, all traffic from the LAG to the switch would be allowed.
I've also tried:
access-list allowall permit every
interface port-channel 1
ip access-group allowall in
Further, if I add rule to ACL webau (bound to LAG1 out):
access-list webau permit icmp any any
I can ping from Server->Internet
or ...
access-list webau permit every
Server->Internet is OK
Finally - Any recommendations on whether to apply these to the Server's ports/channel, with direction OUT (like I am) vs. apply to Internet port with direction IN
Thanks!
Nick
g1 = Internet
g3, g4 = Server (LAG 1)
g1 has no ACL bound
I'm trying to bind ACL(s) to LAG 1 which will allow specific traffic Internet->Server, and all (later, restrict) traffic from Server->Internet
(since it's bound to the LAG, as opposed to g1, ACL is applied to direction "out")
(to simplify things I'm using src/dest any/any - but will later limit to the Server's IPs)
My rules:
access-list webau permit tcp any any eq 22
access-list webau permit tcp any any eq http
access-list webau permit tcp any any eq 443
access-list webau permit tcp any any eq 3389
access-list webau permit tcp any any eq 1935
Binding the ACL:
interface port-channel 1
ip access-group webau out
This successfully permits only traffic from the Internet->Server on TCP port numbers specified - so far so good.
However, the Server can't get out to the Internet at all.
(e.g. ping, telnet google.com 80)
I would have thought with no ACL in, all traffic from the LAG to the switch would be allowed.
I've also tried:
access-list allowall permit every
interface port-channel 1
ip access-group allowall in
Further, if I add rule to ACL webau (bound to LAG1 out):
access-list webau permit icmp any any
I can ping from Server->Internet
or ...
access-list webau permit every
Server->Internet is OK
Finally - Any recommendations on whether to apply these to the Server's ports/channel, with direction OUT (like I am) vs. apply to Internet port with direction IN
Thanks!
Nick
No Events found!
nick.p.doyle
21 Posts
0
March 13th, 2008 22:00
If so, do I need to make a rule allowing inbound > 1023?
If so, how do I do this ... doesn't look like you can say "greater-than" like cisco and do "access-list aclname ip any any gt 1023"
nick.p.doyle
21 Posts
0
March 13th, 2008 23:00
So my question is - what do people do to let their servers get out?
Zitibake
68 Posts
0
March 16th, 2008 18:00
With Cisco, if you have an interface connected to your server, you can say "permit tcp packets with source port 443, ephemeral dst port, and fin or ack bits set", like this:
permit tcp any eq 443 any established
Then, when your server makes an outbound connection to (say) update.redhat.com on port 443, the reply packet from RHN to your server will be permitted. I don't see a way to match on FIN|ACK with Dell, so you'd pretty-much have to "permit tcp any eq 443 any". Dell should try to support matching TCP flags ala Cisco (permit tcp any any match-any +ack +fin), or at-least letting us match using byte offset, e.g.:
One workaround is to have an upstream Cisco (like your carrier border router) mark incoming FIN|ACK packets using TOS, then you can match TOS on the Dell.
Another workaround is to set-up a proxy server for use by your critical servers (e.g. Squid, SOCKS, MS Proxy Server). Also use an outgoing mail relay, recursive DNS server and NTP server. Your protected servers use these proxies for outbound connections, and you permit replies from the proxies to your protected server explicitly in the ACL. This is very inconvenient if you're used to making direct outbound connections from your protected servers to the Internet. On the other hand, it is more secure than permitting packets in from "any" to your protected server's ephemeral ports.
nick.p.doyle
21 Posts
0
March 16th, 2008 21:00
JSL2
1 Rookie
•
10 Posts
0
September 22nd, 2016 23:00
This is a zombie post, but I'm putting it on here because I came across this on a search engine and thought this might be useful since Dell switch discussion is scarce.
On Dell N-series switches today (2016), this capability is included.
I have a DMZ the 172.27.4.0/24 network and a trusted network on 172.27.9.0/24. I want connections from 172.27.9.0/24 to be able to go into the DMZ (ssh primarily). In the IN access-list on the DMZ interface, the rule is:
permit tcp 172.27.4.0 0.0.0.255 172.27.9.0 0.0.0.255 flag established