General discussion


Manage session traffic with reflexive ACLs

By debate ·
Do you use your router to filter session traffic? Has it been effective? Share your comments about using reflexive access control lists (ACLs), as discussed in the April 9 Security Solutions e-newsletter.

If you haven't subscribed to our free Security Solutions e-newsletter, sign up today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Reflexive ACLs work well with us

by litzelmh In reply to Manage session traffic wi ...

As we are an ISP, we are limiting ourselves to using reflexive ACLs for UDp and ICMP traffic. We have found with TCP the router CPU usage is at 100% during peak times and we are dropping packets. However the current lists have GREATLY reduced nuisance traffic and broadcasts from outside our network.

Collapse -

Port numbers CAN'T change during a TCP session

by felipe_alfaro In reply to Manage session traffic wi ...

The article contains several inaccurate references. One of them is: "Reflexive ACLs don't work with applications that use port numbers that change during a TCP session".

Actually, port numbers DO NEVER change during a TCP session: they remain the same since the TCP session is established until it ends. In fact, after a connection ends, both ends keep the connection (and their source and destination ports) reseverd for some time to catch up lost/retransmitted packets (the connection is kept in the TIME_WAIT state).

Source and destination port in a TCP session are determined during the three-way handshake (more concretely with the first SYN packet) and remain invariable during the whole TCP session until it ends.

Currently, neither the source/destination IP addresses nor the source/destination port numbers can change during a TCP session.

Collapse -

Changing port numbers

by Mike Mullins In reply to Port numbers CAN'T change ...

Actually you're wrong. As I mentioned in my article FTP, which is a multichannel application, definitely changes port numbers after the initial anonymous login. If you're not sure how it works, here's the conversation:

Active Mode - The client connects from a random high port (N > 1024) to the FTP server's command port, port 21. After the client logs in (anonymously) and receives a reply, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

This is just one example of an application that begins a conversation on one set of ports and finishes it on another.

Collapse -

re: Changing port numbers

by jnemeth In reply to Changing port numbers

No, he is correct and you are wrong as usual. Port numbers can not change during a TCP session. You two appear to be talking at cross purposes and using different definitions for the same word. The other person is using session to refer a single TCP session, which of course, is the only thing a router cares about when working with reflexive access list. You seem to be using the word session to refer to the entire FTP session. FTP is a protocol that uses multiple TCP sessions, but the router doesn't know or care about this (unless you're using CBAC). Also, I would argue that the port numbers of the FTP session don't change, but rather that seperate subsessions are created for each data transfer. Certainly the port numbers used by the control channel do not change during the session.

Collapse -

deny icmp any any is very bad

by jnemeth In reply to Manage session traffic wi ...

In your example inbound filter you have the line, "deny icmp any any". I just want to point out to readers that may be inclined to follow your examples that this would be a very very bad thing to do and once again proves that you don't know anything about security. Doing this will break many things including ping, tracert, path MTU, notification of when a route/host goes away, instant notification that a service isn't available, etc. In other words, it would be a very good way to break your network.

Related Discussions

Related Forums