Options
established command in ACL
Would you guys say that the established command in an ACL is to prevent packets with the SYN bit set from entering the router or to allow packets with the ACK bit set into the router.
I always thought it was to prevent packets with the SYN bit set from entering, but i can see how allowing ACK into the network would be needed as well, since the established command is used to allow connections that have been established from the inside, and a incoming packet with ACK set is probably replying to an SYN from the inside..... But then again it makes sense to block incoming packets with SYN set as that is being established from the outside....
Im confused..... help!
I always thought it was to prevent packets with the SYN bit set from entering, but i can see how allowing ACK into the network would be needed as well, since the established command is used to allow connections that have been established from the inside, and a incoming packet with ACK set is probably replying to an SYN from the inside..... But then again it makes sense to block incoming packets with SYN set as that is being established from the outside....
Im confused..... help!
CCIE# 38186
showroute.net
showroute.net
Comments
-
Options
Met44
Member Posts: 194
The established keyword is looking specifically for the ACK bit set in the control fields of the TCP header.
permit tcp any any established
If we put an ACL with this entry in it on an edge router so it filters incoming traffic, it will not permit traffic that has the SYN bit set simply because there is no match (unless matched elsewhere in the ACL). While this statement does not explicitly deny traffic with the SYN bit set, the implicit deny at the end of the ACL will, so it will have the effect you are describing.
This statement looks for and permits the ACK bit, while the implicit deny logic handles the dropping of new incoming connections.