The device supports various ACL matching conditions. This section describes the commonly used conditions. Show
Time RangeFormat: time-range time-name All ACLs support packet filtering based on time ranges. For details about time ranges, see Time Range. Protocol Type Carried by IPFormat: protocol-number | icmp | tcp | udp | gre | igmp | ip | ipinip | ospf An advanced ACL can filter packets based on protocol types, such as ICMP (protocol number 1), TCP (protocol number 6), UDP (protocol number 17), GRE (protocol number 47), IGMP (protocol number 2), IP (any IP layer protocol), IPinIP (protocol number 4), and OSPF (protocol number 89). The protocol number ranges from 1 to 255. For example, to forbid user access on an interface connected to a large number of attackers, specify the protocol type as IP to discard all IP traffic on the interface. The configuration is as follows: rule deny ip //Reject IP packets. After transparent firewall function is enabled on a device, the transparent firewall discards all packets entering the interzone by default, including service and protocol packets. If you require the packets of a dynamic routing protocol, such as OSPF, to pass through the transparent firewall, specify the protocol type as OSPF. rule permit ospf //Permit OSPF packets. Source/Destination IP Addresses and Wildcard MasksFormat of source IP address and wildcard mask: source { source-address source-wildcard | any } Format of destination IP address and wildcard mask: destination { destination-address destination-wildcard | any } A basic ACL can filter packets based on source IP addresses; an advanced ACL can filter packets based on both source and destination IP addresses. When the source and destination IP addresses are specified as matching conditions, the wildcard masks must be specified for them to determine address ranges. The IP address wildcard mask format is the same as the inverse subnet mask format (32-bit numeric string). The wildcard mask specifies the digits in the IP address to be checked. Among the bits in a mask, the value 0 indicates "check" and the value 1 indicates "not check." An IP address subnet mask must have continuous 0s and 1s, whereas a wildcard mask can have discontinuous 0s and 1s. The wildcard mask can be 255.255.255.255 or 0 (equivalent to 0.0.0.0). The value 255.255.255.255 indicates any IP address, which is equivalent to the any keyword. The value 0 indicates that the source/destination address is a host address. For example, configure a rule with an IP address wildcard mask specified to permit all IP packets from network segment 192.168.1.0/24: rule 5 permit ip source 192.168.1.0 0.0.0.255 In this rule, the wildcard mask is 0.0.0.255, indicating that only the bits in the binary bytes in the first three groups in the IP address are checked. Therefore, if the first 24 bits in the source IP address are the same as the first 24 bits in the specified IP address (192.168.1), it indicates that the packets are sent from source IP address segment 192.168.1.0/24, and are permitted. Table 1-3 illustrates how the address range is calculated. Table 1-3 Wildcard mask example
For more examples of determining an address range by IP address and wildcard mask, see Table 1-4. Table 1-4 Determining address ranges by IP addresses and wildcard masks
Source/Destination MAC Addresses and Wildcard MasksFormat of source MAC address and wildcard mask: source-mac source-mac-address [ source-mac-mask ] Format of destination MAC address and wildcard mask: destination-mac dest-mac-address [ dest-mac-mask ] Only the Layer 2 ACL can filter packets based on source and destination MAC addresses. When the source and destination MAC addresses are specified as matching conditions, the wildcard masks can be specified for them to determine address ranges. The formats of a MAC address wildcard mask and a MAC address are the same. Both of them are in hexadecimal format. A MAC address wildcard mask consists of six bytes (48 bits) to indicate the bits in a MAC address to be checked. Different from those in an IP address wildcard mask, the value 1 in the MAC address wildcard mask indicates "check" and the value 0 indicates "not check." If the wildcard mask is not specified, the default mask ffff-ffff-ffff is used, indicating that every bit in a MAC address is checked. Table 1-5 illustrates how a MAC address and a wildcard mask determine an address range. Table 1-5 Determining address ranges by MAC addresses and wildcard masks
VLAN ID and MaskFormat of outer VLAN ID and mask: vlan-id vlan-id [ vlan-id-mask ] Format of inner VLAN ID and mask: cvlan-id cvlan-id [ cvlan-id-mask ] A Layer 2 ACL can filter packets based on outer and inner VLAN IDs. When the VLAN IDs are configured as matching conditions, the VLAN mask can be specified behind the VLAN IDs to determine a VLAN range. A VLAN mask is in the hexadecimal format, ranging from 0x0 to 0xFFF. If the VLAN mask is not specified, the default mask 0xFFF is used, indicating that every bit in the VLAN ID is checked. Table 1-6 illustrates how a VLAN ID and a mask determine a VLAN range. Table 1-6 Determining VLAN ranges by VLAN IDs and masks
TCP/UDP Port NumberFormat of source port number: source-port { eq port | gt port | lt port | range port-start port-end } Format of destination port number: destination-port { eq port | gt port | lt port | range port-start port-end } When the protocol type of an advanced ACL is specified as TCP or UDP, the device can filter packets based on TCP or UDP source/destination port numbers. The operators of specifying TCP/UDP port numbers are as follows:
The TCP/UDP port numbers can be represented by numeric or character strings (alias). For example, rule deny tcp destination-port eq 80 can be represented by rule deny tcp destination-port eq www. Table 1-7 and Table 1-8 list the commonly used TCP ports and UDP ports respectively, and provide the corresponding character strings. Table 1-7 Commonly used TCP ports and character strings
Table 1-8 Commonly used UDP ports and character strings
TCP FlagFormat: tcp-flag { ack | established | fin | psh | rst | syn | urg }* When the TCP protocol is specified in an advanced ACL, the device filters packets based on the TCP flag. A TCP packet header contains six flag bits:
The established field in TCP flags indicates that the flag bit is ACK(010000) or RST(000100). The ACL rule with the tcp-flag keyword specified can implement unidirectional access control. For example, it is required that users on network segment 192.168.1.0/24 can access network segment 192.168.2.0/24, but users on network segment 192.168.2.0/24 cannot access network segment 192.168.1.0/24. To meet this requirement, you can apply an ACL rule to the inbound direction of the interface connecting to network segment 192.168.2.0/24. From TCP connection setup to teardown only the packets used for TCP connection establishment can have the ACK value of 1 and RST value of 1. According to this characteristic, configure the following ACL rules to permit the packets used for establishing TCP connections and deny other TCP packets on the network segment 192.168.2.0/24. In this way, you can limit the TCP connection requests initiated from this network segment.
IP FragmentationFormat: none-first-fragment A basic ACL and an advanced ACL can filter packets based on IP fragmentation information. The fragments of an IP packet include the initial fragment and non-initial fragments. Only the initial fragment contains Layer 4 information, such as TCP and UDP port numbers. A network device checks whether a received fragment is the last fragment. If the fragment is not the last, the device allocates memory space for it, and reassembles the fragments after the last fragment is received. However, an exploit exists whereby an attacker may send fragments to a device without sending the last fragment. Because the device cannot release memory until the last fragment is received and all fragments are reassembled, if a large enough number of fragments are sent in a short period, the device cannot process other services due to insufficient memory resources. To mitigate such an attack, the device starts a reassembling timer. If reassembly cannot be finished before the timer expires, the device returns an ICMP Error packet to the sender; if reassembly cannot be finished after the timer expires, the device discards the fragments stored in memory. To prevent fragment packet attacks, you can specify the none-first-fragment keyword in an ACL rule to block non-initial fragments. Table 1-9 describes how the ACLs process non-fragment packets, initial fragments, and non-initial fragments. Table 1-9 IP packet processing methods
For example, ACL 3012 contains the following rules: # acl number 3012 rule 5 deny tcp destination 192.168.2.2 0 none-first-fragment rule 10 permit tcp destination 192.168.2.2 0 destination-port eq www rule 15 deny ip #
What are ACL policies?An access control list policy, or ACL policy, is the set of rules (permissions) that specifies the conditions necessary to perform certain operations on that resource. ACL policy definitions are important components of the security policy established for the secure domain.
What are the two main types of access control lists ACLs?There are two types of ACLs: Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed. Networking ACLs━filter access to the network.
What are the ACL categories based on ACL rules?ACLs are classified into basic ACL, advanced ACL, Layer 2 ACL, user ACL. These ACLs have different number ranges.
What is the purpose of using ACL?Access control lists are used for controlling permissions to a computer system or computer network. They are used to filter traffic in and out of a specific device. Those devices can be network devices that act as network gateways or endpoint devices that users access directly.
|