What is the difference between ACL policies and rule policies?

The device supports various ACL matching conditions. This section describes the commonly used conditions.

Nội dung chính Show

Protocol Type Carried by IP
Source/Destination IP Addresses and Wildcard Masks
Source/Destination MAC Addresses and Wildcard Masks
VLAN ID and Mask
TCP/UDP Port Number
IP Fragmentation
What are ACL policies?
What are the two main types of access control lists ACLs?
What are the ACL categories based on ACL rules?
What is the purpose of using ACL?

Time Range

Format: time-range time-name

All ACLs support packet filtering based on time ranges. For details about time ranges, see Time Range.

Protocol Type Carried by IP

Format: protocol-number | icmp | tcp | udp | gre | igmp | ip | ipinip | ospf

An advanced ACL can filter packets based on protocol types, such as ICMP (protocol number 1), TCP (protocol number 6), UDP (protocol number 17), GRE (protocol number 47), IGMP (protocol number 2), IP (any IP layer protocol), IPinIP (protocol number 4), and OSPF (protocol number 89). The protocol number ranges from 1 to 255.

For example, to forbid user access on an interface connected to a large number of attackers, specify the protocol type as IP to discard all IP traffic on the interface. The configuration is as follows:

rule deny ip //Reject IP packets.

After transparent firewall function is enabled on a device, the transparent firewall discards all packets entering the interzone by default, including service and protocol packets. If you require the packets of a dynamic routing protocol, such as OSPF, to pass through the transparent firewall, specify the protocol type as OSPF.

rule permit ospf  //Permit OSPF packets.

Source/Destination IP Addresses and Wildcard Masks

Format of source IP address and wildcard mask: source { source-address source-wildcard | any }

Format of destination IP address and wildcard mask: destination { destination-address destination-wildcard | any }

A basic ACL can filter packets based on source IP addresses; an advanced ACL can filter packets based on both source and destination IP addresses.

When the source and destination IP addresses are specified as matching conditions, the wildcard masks must be specified for them to determine address ranges.

The IP address wildcard mask format is the same as the inverse subnet mask format (32-bit numeric string). The wildcard mask specifies the digits in the IP address to be checked. Among the bits in a mask, the value 0 indicates "check" and the value 1 indicates "not check." An IP address subnet mask must have continuous 0s and 1s, whereas a wildcard mask can have discontinuous 0s and 1s.

The wildcard mask can be 255.255.255.255 or 0 (equivalent to 0.0.0.0). The value 255.255.255.255 indicates any IP address, which is equivalent to the any keyword. The value 0 indicates that the source/destination address is a host address.

For example, configure a rule with an IP address wildcard mask specified to permit all IP packets from network segment 192.168.1.0/24:

rule 5 permit ip source 192.168.1.0 0.0.0.255

In this rule, the wildcard mask is 0.0.0.255, indicating that only the bits in the binary bytes in the first three groups in the IP address are checked. Therefore, if the first 24 bits in the source IP address are the same as the first 24 bits in the specified IP address (192.168.1), it indicates that the packets are sent from source IP address segment 192.168.1.0/24, and are permitted. Table 1-3 illustrates how the address range is calculated.

Table 1-3 Wildcard mask example

Item

Decimal

Binary

Specified IP address

192.168.1.0

11000000.10101000.00000001.00000000

Wildcard mask

0.0.0.255

00000000.00000000.00000000.11111111

Determined address range

192.168.1.*

* indicates an integer between 0 and 255.

11000000.10101000.00000001.xxxxxxxx

x can be 0 or 1.

For more examples of determining an address range by IP address and wildcard mask, see Table 1-4.

Table 1-4 Determining address ranges by IP addresses and wildcard masks

IP Address	IP Address Wildcard Mask	Determined Address Range
0.0.0.0	255.255.255.255	Any IP address
172.18.0.0	0.0.255.255	IP addresses on network segment 172.18.0.0/16
172.18.5.2	0.0.0.0	Only host address 172.18.5.2
172.18.8.0	0.0.0.7	IP addresses on network segment 172.18.8.0/29
172.18.8.8	0.0.0.7	IP addresses on network segment 172.18.8.8/29
10.1.2.0	0.0.254.255 (discontinuous 1s and 0s in wildcard mask)	IP addresses that are in the range of 10.1.0.0/24 and 10.1.254.0/24 and have an even number in the third byte, for example, 10.1.0.0/24, 10.1.2.0/24, 10.1.4.0/24, and 10.1.6.0/24

Source/Destination MAC Addresses and Wildcard Masks

Format of source MAC address and wildcard mask: source-mac source-mac-address [ source-mac-mask ]

Format of destination MAC address and wildcard mask: destination-mac dest-mac-address [ dest-mac-mask ]

Only the Layer 2 ACL can filter packets based on source and destination MAC addresses.

When the source and destination MAC addresses are specified as matching conditions, the wildcard masks can be specified for them to determine address ranges.

The formats of a MAC address wildcard mask and a MAC address are the same. Both of them are in hexadecimal format. A MAC address wildcard mask consists of six bytes (48 bits) to indicate the bits in a MAC address to be checked. Different from those in an IP address wildcard mask, the value 1 in the MAC address wildcard mask indicates "check" and the value 0 indicates "not check." If the wildcard mask is not specified, the default mask ffff-ffff-ffff is used, indicating that every bit in a MAC address is checked.

Table 1-5 illustrates how a MAC address and a wildcard mask determine an address range.

Table 1-5 Determining address ranges by MAC addresses and wildcard masks

MAC Address

MAC Address Wildcard Mask

Determined Address Range

00e0-fc01-0101

0000-0000-0000

Any MAC address

00e0-fc01-0101

ffff-ffff-ffff

Only 00e0-fc01-0101

00e0-fc01-0101

ffff-ffff-0000

00e0-fc01-0000 to 00e0-fc01-ffff

VLAN ID and Mask

Format of outer VLAN ID and mask: vlan-id vlan-id [ vlan-id-mask ]

Format of inner VLAN ID and mask: cvlan-id cvlan-id [ cvlan-id-mask ]

A Layer 2 ACL can filter packets based on outer and inner VLAN IDs.

When the VLAN IDs are configured as matching conditions, the VLAN mask can be specified behind the VLAN IDs to determine a VLAN range.

A VLAN mask is in the hexadecimal format, ranging from 0x0 to 0xFFF. If the VLAN mask is not specified, the default mask 0xFFF is used, indicating that every bit in the VLAN ID is checked.

Table 1-6 illustrates how a VLAN ID and a mask determine a VLAN range.

Table 1-6 Determining VLAN ranges by VLAN IDs and masks

VLAN ID	VLAN Mask	Determined VLAN Range
10	0x000	Any VLAN
10	0xFFF	Only VLAN 10
10	0xFF0	VLAN 1 to VLAN 10

TCP/UDP Port Number

Format of source port number: source-port { eq port | gt port | lt port | range port-start port-end }

Format of destination port number: destination-port { eq port | gt port | lt port | range port-start port-end }

When the protocol type of an advanced ACL is specified as TCP or UDP, the device can filter packets based on TCP or UDP source/destination port numbers.

The operators of specifying TCP/UDP port numbers are as follows:

eq port: equivalent to the source/destination port number.
gt port: greater than the destination/source port number.
lt port: less than the source/destination port number.
range port-start port-end: source/destination port number range. port-start indicates the start port number, and port-end indicates the end port number.

The TCP/UDP port numbers can be represented by numeric or character strings (alias). For example, rule deny tcp destination-port eq 80 can be represented by rule deny tcp destination-port eq www. Table 1-7 and Table 1-8 list the commonly used TCP ports and UDP ports respectively, and provide the corresponding character strings.

Table 1-7 Commonly used TCP ports and character strings

Port Number	Character String	Protocol	Description
7	echo	Echo	Echo service.
9	discard	Discard	Null service used for connectivity test.
13	daytime	Daytime	Daytime protocol.
19	CHARgen	Character generator	Character Generator Protocol.
20	ftp-data	FTP data connections	FTP data port.
21	ftp	File Transfer Protocol(FTP)	File Transfer Protocol (FTP) port.
23	telnet	Telnet	Telnet service.
25	smtp	Simple Mail Transport Protocol (SMTP)	Simple Mail Transfer Protocol (SMTP).
37	time	Time	Time protocol.
43	whois	Nickname (WHOIS)	Directory service.
49	tacacs	TAC Access Control System (TACACS)	Access control system based on TCP/IP authentication (TACACS login host protocol)
53	domain	Domain Name Service (DNS)	Domain name service.
70	gopher	Gopher	Information index protocol (document searching and indexing on the Internet)
79	finger	Finger	Queries online user information on a remote host.
80	www	World Wide Web (HTTP)	Protocol used by the WWW service. HTTP is used to browse web pages.
101	hostname	NIC hostname server	Host name service on the NIC machine.
109	pop2	Post Office Protocol v2	Email protocol version 2.
110	pop3	Post Office Protocol v3	Email protocol version 3.
111	sunrpc	Sun Remote Procedure Call (RPC)	RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).
119	nntp	Network News Transport Protocol (NNTP)	Network News Transfer Protocol for retrieval of newsgroup messages. It carries USENET.
179	bgp	Border Gateway Protocol (BGP)	Border Gateway Protocol (BGP).
194	irc	Internet Relay Chat (IRC)	Internet Relay Chat (IRC) protocol.
512	exec	Exec (rsh)	Authenticates remote process.
513	login	Login (rlogin)	Remote login.
514	cmd	Remote commands	Used to execute non-interactive commands on a remote system (rshell, rcp).
515	lpd	Printer service	Line Printer Daemon. It is a print service.
517	talk	Talk	Remotely talks with server and client.
540	uucp	Unix-to-Unix Copy Program	Unix-to-Unix copy protocol.
543	klogin	Kerberos login	Kerberos login protocol version 5.
544	kshell	Kerberos shell	Kerberos Remote shell protocol version 5.

Table 1-8 Commonly used UDP ports and character strings

Port Number	Character String	Protocol	Description
7	echo	Echo	Echo service.
9	discard	Discard	Null service used for connectivity test.
37	time	Time	Time protocol.
42	nameserver	Host Name Server	Host name service.
53	dns	Domain Name Service (DNS)	Domain name service.
65	tacacs-ds	TACACS-Database Service	TACACS database service.
67	bootps	Bootstrap Protocol Server	Bootstrap Protocol (BOOTP) Server, also used by Dynamic Host Configuration Protocol (DHCP).
68	bootpc	Bootstrap Protocol Client	Bootstrap Protocol (BOOTP) Client, also used by Dynamic Host Configuration Protocol (DHCP).
69	tftp	Trivial File Transfer Protocol (TFTP)	Trivial File Transfer Protocol (TFTP).
90	dnsix	DNSIX Security Attribute Token Map	DoD Network Security for Information Exchange (DNSIX) Security Attribute Token Map.
111	sunrpc	SUN Remote Procedure Call (SUN RPC)	RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).
123	ntp	Network Time Protocol (NTP)	Network Time Protocol (NTP), which may be utilized by worm virus.
137	netbios-ns	NETBIOS Name Service	NETBIOS name service.
138	netbios-dgm	NETBIOS Datagram Service	NETBIOS datagram service.
139	netbios-ssn	NETBIOS Session Service	NETBIOS session service.
161	snmp	SNMP	Simple Network Management Protocol (SNMP).
162	snmptrap	SNMPTRAP	SNMP trap.
177	xdmcp	X Display Manager Control Protocol (XDMCP)	X Display Manager Control Protocol (XDMCP).
434	mobilip-ag	MobileIP-Agent	Mobile IP agent.
435	mobilip-mn	MobileIP-MN	Mobile IP management.
512	biff	Mail notify	Notifies user of received emails.
513	who	Who	Login user list.
514	syslog	Syslog	UNIX system log service.
517	talk	Talk	Remotely talks with server and client.
520	rip	Routing Information Protocol	RIP routing protocol.

TCP Flag

Format: tcp-flag { ack | established | fin | psh | rst | syn | urg }*

When the TCP protocol is specified in an advanced ACL, the device filters packets based on the TCP flag.

A TCP packet header contains six flag bits:

URG(100000): indicates that the Urgent pointer field is significant.
ACK(010000): indicates that the Acknowledgment field is significant.
PSH(001000): push function. Asks to push the buffered data to the receiving application.
RST(000100): resets the connection.
SYN(000010): synchronizes sequence numbers to initiate a connection.
FIN(000001): no more data from sender.

The established field in TCP flags indicates that the flag bit is ACK(010000) or RST(000100).

The ACL rule with the tcp-flag keyword specified can implement unidirectional access control. For example, it is required that users on network segment 192.168.1.0/24 can access network segment 192.168.2.0/24, but users on network segment 192.168.2.0/24 cannot access network segment 192.168.1.0/24. To meet this requirement, you can apply an ACL rule to the inbound direction of the interface connecting to network segment 192.168.2.0/24.

From TCP connection setup to teardown only the packets used for TCP connection establishment can have the ACK value of 1 and RST value of 1. According to this characteristic, configure the following ACL rules to permit the packets used for establishing TCP connections and deny other TCP packets on the network segment 192.168.2.0/24. In this way, you can limit the TCP connection requests initiated from this network segment.

Rule 1: Configure an ACL rule with the ack and rst keywords specified.

rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack  //Permit the TCP packets with the ACK value of 1.        
rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst //Permit the TCP packets with the RST value of 1. 
rule 15 deny tcp source 192.168.2.0 0.0.0.255  //Reject other TCP packets.

Rule 2: Configure an ACL rule with the established keyword specified.

rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established  //established indicates that ACK is 1 or RST is 1. The packets exchanged during TCP connection established are permitted. 
rule deny tcp source 192.168.2.0 0.0.0.255     //Reject other TCP packets.

IP Fragmentation

Format: none-first-fragment

A basic ACL and an advanced ACL can filter packets based on IP fragmentation information.

The fragments of an IP packet include the initial fragment and non-initial fragments. Only the initial fragment contains Layer 4 information, such as TCP and UDP port numbers. A network device checks whether a received fragment is the last fragment. If the fragment is not the last, the device allocates memory space for it, and reassembles the fragments after the last fragment is received. However, an exploit exists whereby an attacker may send fragments to a device without sending the last fragment. Because the device cannot release memory until the last fragment is received and all fragments are reassembled, if a large enough number of fragments are sent in a short period, the device cannot process other services due to insufficient memory resources. To mitigate such an attack, the device starts a reassembling timer. If reassembly cannot be finished before the timer expires, the device returns an ICMP Error packet to the sender; if reassembly cannot be finished after the timer expires, the device discards the fragments stored in memory.

To prevent fragment packet attacks, you can specify the none-first-fragment keyword in an ACL rule to block non-initial fragments.

Table 1-9 describes how the ACLs process non-fragment packets, initial fragments, and non-initial fragments.

Table 1-9 IP packet processing methods

Matching Conditions	Non-fragment Packets	Initial Fragments	Non-initial Fragments
Layer 3 information (such as source/destination IP addresses)	When packets match Layer 3 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.	When packets match Layer 3 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.	When packets match Layer 3 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.
Layer 3 information and Layer 4 information (such as TCP and UDP port numbers)	When packets match both Layer 3 and Layer 4 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.	When packets match both Layer 3 and Layer 4 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.	The packets do not match the rule, so the next rule is processed.
Layer 3 information and none-first-fragment	The packets do not match the rule, so the next rule is processed.	The packets do not match the rule, so the next rule is processed.	When packets match Layer 3 information, the matching result (permit or deny) is returned; otherwise, the next rule is processed.

For example, ACL 3012 contains the following rules:

#   
acl number 3012                                                                  
 rule 5 deny tcp destination 192.168.2.2 0 none-first-fragment                   
 rule 10 permit tcp destination 192.168.2.2 0 destination-port eq www            
 rule 15 deny ip                                                                 
#

This packet is a non-fragment packet or initial fragment: If the destination port number is 80 (WWW), this packet matches rule 10 and is permitted; otherwise, the packet matches rule 15 and is discarded.
The packet is a non-initial fragment: The packet matches rule 5 and is discarded.

What are ACL policies?

An access control list policy, or ACL policy, is the set of rules (permissions) that specifies the conditions necessary to perform certain operations on that resource. ACL policy definitions are important components of the security policy established for the secure domain.

What are the two main types of access control lists ACLs?

There are two types of ACLs: Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed. Networking ACLs━filter access to the network.

What are the ACL categories based on ACL rules?

ACLs are classified into basic ACL, advanced ACL, Layer 2 ACL, user ACL. These ACLs have different number ranges.

What is the purpose of using ACL?

Access control lists are used for controlling permissions to a computer system or computer network. They are used to filter traffic in and out of a specific device. Those devices can be network devices that act as network gateways or endpoint devices that users access directly.