what does this wildcard?

Started by mercy_angel, December 18, 2020, 05:00:34 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

deanwebb

#15
January 10, 2021, 10:12:57 AM
Couple things here to comment on.

1. Whatever VLAN needs restrictions, gets the ACL. No restrictions, no ACL.
2. ICMP must be permitted in both directions. Otherwise, pings will fail. It can be the same on bidirectional UDP conversations.
3. You can also get the same effects with routing statements that permit some conversations, but which send traffic that is forbidden to a null route.
4. Use a firewall as a router on a stick for better, more granular control of traffic.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#16
January 10, 2021, 04:27:00 PM
Quote from: deanwebb on January 10, 2021, 10:12:57 AM
Couple things here to comment on.

2. ICMP must be permitted in both directions. Otherwise, pings will fail. It can be the same on bidirectional UDP conversations.


We want to be restrictive on the ICMP we allow, some is bad,  I might suggest to only allow icmp
echo
echo reply
unreachable
traceroute

only on trusted interfaces, blocked on untrusted interfaces
:professorcat:

My Moral Fibers have been cut.
Print
Go Up Pages 1 2
User actions