Hi,
I've got a problem with ACLs on a foundry SI XL runnig 07.4.01T12.
Setup as follows:
---
interface e 3
port-name Uplink
ip access-group 20 in
interface e 5
port-name www1 extern
ip access-group 20 out
server real www1 1.1.1.1
port http
server virtual www.foo.bar 1.2.1.1
acl-id 20
port http
bind http www1 http
access-list 20 deny host 1.2.3.4 log
access-list 20 permit any
---
Connections to the virtual-server are filtered fine, but when (ab)users
try to contact the real servers directly only the first syn packet gets
dropped but subsequent packets seem to get forwarded fine.
tcp-dumps and foundry log as follows:
---
foundry:
Jul 1 21:56:20 foundry sollbruchstelle, list 20 denied tcp
1.2.3.4(50913) (Ethernet 3 0007.4fa2.1800) -> 1.1.1.1(http), 1 packets
client:
21:56:20.279831 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0)
win 5840 <mss 1460,sackOK,timestamp 19275632 0,nop,wscale 2>
21:56:23.278097 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0)
win 5840 <mss 1460,sackOK,timestamp 19278632 0,nop,wscale 2>
21:56:23.278296 IP 1.1.1.1.80 > 1.2.3.4.50913: S
3024095339:3024095339(0) ack 807137641 win 5792 <mss
1460,sackOK,timestamp 3048126235 19278632,nop,wscale 5>
21:56:23.278337 IP 1.2.3.4.50913 > 1.1.1.1.80: . ack 1 win 1460
<nop,nop,timestamp 19278632 3048126235>
www1:
21:56:23.265849 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0)
win 5840 <mss 1460,sackOK,timestamp 19278632 0,nop,wscale 2>
21:56:23.265874 IP 1.1.1.1.80 > 1.2.3.4.50913: S
3024095339:3024095339(0) ack 807137641 win 5792 <mss
1460,sackOK,timestamp 3048126235 19278632,nop,wscale 5>
21:56:23.266099 IP 1.2.3.4.50913 > 1.1.1.1.80: . ack 1 win 1460
<nop,nop,timestamp 19278632 3048126235>
---
Seems as if the connection is put in some sort of connection tracking
table after the first syn packet and subsequent packets skip the
access-list then.
ip strict-acl-mode [1] looks like it might fix this, but I'm a bit
reluctant to enable it since I don't know if the foundry is able to bear
the additional work-load and it shouldn't be necessary in the first place.
Is there something else I might've missed or should I just try & use
strict-acl-mode?
[1]
http://www.foundrynet.com/services/documentation/sixl/security.html#wp58963
best regards,
Michael Renner
I've got a problem with ACLs on a foundry SI XL runnig 07.4.01T12.
Setup as follows:
---
interface e 3
port-name Uplink
ip access-group 20 in
interface e 5
port-name www1 extern
ip access-group 20 out
server real www1 1.1.1.1
port http
server virtual www.foo.bar 1.2.1.1
acl-id 20
port http
bind http www1 http
access-list 20 deny host 1.2.3.4 log
access-list 20 permit any
---
Connections to the virtual-server are filtered fine, but when (ab)users
try to contact the real servers directly only the first syn packet gets
dropped but subsequent packets seem to get forwarded fine.
tcp-dumps and foundry log as follows:
---
foundry:
Jul 1 21:56:20 foundry sollbruchstelle, list 20 denied tcp
1.2.3.4(50913) (Ethernet 3 0007.4fa2.1800) -> 1.1.1.1(http), 1 packets
client:
21:56:20.279831 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0)
win 5840 <mss 1460,sackOK,timestamp 19275632 0,nop,wscale 2>
21:56:23.278097 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0)
win 5840 <mss 1460,sackOK,timestamp 19278632 0,nop,wscale 2>
21:56:23.278296 IP 1.1.1.1.80 > 1.2.3.4.50913: S
3024095339:3024095339(0) ack 807137641 win 5792 <mss
1460,sackOK,timestamp 3048126235 19278632,nop,wscale 5>
21:56:23.278337 IP 1.2.3.4.50913 > 1.1.1.1.80: . ack 1 win 1460
<nop,nop,timestamp 19278632 3048126235>
www1:
21:56:23.265849 IP 1.2.3.4.50913 > 1.1.1.1.80: S 807137640:807137640(0)
win 5840 <mss 1460,sackOK,timestamp 19278632 0,nop,wscale 2>
21:56:23.265874 IP 1.1.1.1.80 > 1.2.3.4.50913: S
3024095339:3024095339(0) ack 807137641 win 5792 <mss
1460,sackOK,timestamp 3048126235 19278632,nop,wscale 5>
21:56:23.266099 IP 1.2.3.4.50913 > 1.1.1.1.80: . ack 1 win 1460
<nop,nop,timestamp 19278632 3048126235>
---
Seems as if the connection is put in some sort of connection tracking
table after the first syn packet and subsequent packets skip the
access-list then.
ip strict-acl-mode [1] looks like it might fix this, but I'm a bit
reluctant to enable it since I don't know if the foundry is able to bear
the additional work-load and it shouldn't be necessary in the first place.
Is there something else I might've missed or should I just try & use
strict-acl-mode?
[1]
http://www.foundrynet.com/services/documentation/sixl/security.html#wp58963
best regards,
Michael Renner