12-03-2013 05:27 AM - edited 03-11-2019 08:11 PM
Hi,
I have taken over a firewall that someone else managed.
Everything working well. However on the outside interface coming in i see an access list which says source-any4 destination-any4 permit service ip.
Am i correct in saying that this rule shouldn't be here as the whole point of the firewall is to be statfull and not allow just any traffic in.
The only other access list on this interface are a few static ones going to internal ip's alloing pptp and https for remote access.
Is there any reason there should be an access list like this on your outside interface going to internal?
Thanks
Solved! Go to Solution.
12-03-2013 05:35 AM
Hi,
There should not really be an "access-list" on your external interface which permits all traffic with "any" source/destination address. I would understand if all TCP/UDP traffic was permitted between certain hosts which people seem to do when they dont know what ports need to be allowed.
It would be best if we could see the actual ACL configuration (naturally WITHOUT any public IP address references away)
But generally you should only allow the services that are needed and only to the hosts that are hosting them.
Naturally in some services cases like HTTP/HTTPS you probably will allow traffic from "any" source address.
Your Static NATed hosts are under biggest risk at the moment as they can be reached now with any destination port/service. The rule might open up some connectivity towards the users that use the Dynamic PAT as long as there is an existing NAT translation on the firewall for the attempted destination port.
So I would suggest only allowing the needed services to needed hosts and blocking all other traffic from the external network. Naturally if there are services that are just allowed with this "permit ip any4 any4" statement then some services might be blocked in the worst case.
- Jouni
12-03-2013 06:11 AM
Hi,
Seems there are 3 hosts to which traffic is allowed on certain ports and then all other traffic to them is blocked with a separate Deny rule.
Then there seems to be the rule you mentioned which allows ALL other traffic.
The rule permitting ALL traffic doesn't have anything to do with the 3 hosts 10.80.0.41 , 10.80.0.11 and HK-Remote since you have already blocked ALL traffic to them AFTER allowing the needed services. So in that sense it would also seem useless rule.
I wonder if the original firewall admin accidentally inserted a Permit instead of Deny (even though the Deny would have been useless ince there is already a Implicit Deny at the end of each ACL)
But you should remove the rule allowing ALL traffic since its clearly a risk.
- Jouni
12-03-2013 06:24 AM
Also,
If you have some other host than the ones mentioned in the ACL that have Static NAT or Static PAT configured then make sure that traffic to those will not start getting blocked. (As they would match to this Permit rule since they dont have their own rules)
But from what I understood you dont have any other hosts reachable through the external/public network than the ones specifically mentioned.
- Jouni
12-03-2013 05:35 AM
Hi,
There should not really be an "access-list" on your external interface which permits all traffic with "any" source/destination address. I would understand if all TCP/UDP traffic was permitted between certain hosts which people seem to do when they dont know what ports need to be allowed.
It would be best if we could see the actual ACL configuration (naturally WITHOUT any public IP address references away)
But generally you should only allow the services that are needed and only to the hosts that are hosting them.
Naturally in some services cases like HTTP/HTTPS you probably will allow traffic from "any" source address.
Your Static NATed hosts are under biggest risk at the moment as they can be reached now with any destination port/service. The rule might open up some connectivity towards the users that use the Dynamic PAT as long as there is an existing NAT translation on the firewall for the attempted destination port.
So I would suggest only allowing the needed services to needed hosts and blocking all other traffic from the external network. Naturally if there are services that are just allowed with this "permit ip any4 any4" statement then some services might be blocked in the worst case.
- Jouni
12-03-2013 06:04 AM
12-03-2013 06:11 AM
Hi,
Seems there are 3 hosts to which traffic is allowed on certain ports and then all other traffic to them is blocked with a separate Deny rule.
Then there seems to be the rule you mentioned which allows ALL other traffic.
The rule permitting ALL traffic doesn't have anything to do with the 3 hosts 10.80.0.41 , 10.80.0.11 and HK-Remote since you have already blocked ALL traffic to them AFTER allowing the needed services. So in that sense it would also seem useless rule.
I wonder if the original firewall admin accidentally inserted a Permit instead of Deny (even though the Deny would have been useless ince there is already a Implicit Deny at the end of each ACL)
But you should remove the rule allowing ALL traffic since its clearly a risk.
- Jouni
12-03-2013 06:17 AM
Cheers Jouni.
Thanks for the hep.
12-03-2013 06:24 AM
Also,
If you have some other host than the ones mentioned in the ACL that have Static NAT or Static PAT configured then make sure that traffic to those will not start getting blocked. (As they would match to this Permit rule since they dont have their own rules)
But from what I understood you dont have any other hosts reachable through the external/public network than the ones specifically mentioned.
- Jouni
12-03-2013 07:57 AM
My NAT rules are source - inside network to PAT using IP address of the interface ( outisde ) it has not affected internet connectivity all is working well.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide