ACL with IP, TCP, UDP, ICMP and others

workfrom925 · September 2013

I'm studying ACL. A common example that I read is to block www access (TCP), or TFTP (UDP), or Ping (ICMP), or all of them, then allow everything else with a "permit IP any any". Does this mean TCP, UDP, ICMP are just part of IP?

The chapter did not get too deep into it, so I'm wondering what specific protocol to block for email? FTP? Telnet? and SSH?

Does "deny IP any any" deny email, ftp, telnet, and ssh too?

Zartanasaurus · September 2013

IP is capable of carrying multiple protocols. The IP Protocol field is used to identify the exact protocol IP is encapsulating.
IP Protocol 1 = ICMP
IP Protocol 6 = TCP
IP Protocol 17 = TCP

So generically, IP can be "any of the above". Or it can specifically be protocol 6, or protocol 17 or one of dozens of other protocols.

So if you say "deny IP any any" what do you think is the result?

TCP/UDP does the same thing, but with port numbers.
TCP port 22 = SSH
TCP port 23 = telnet
UDP port 69 = TFTP

So you can very specifically deny SSH with TCP port 22 or specifically permit DNS with UDP port 53 (you should do TCP port 53 too, but let's not get into that). There's technically thousands of TCP/UDP ports.

So if you say "deny tcp any any" what do you think is the result?

And if you want to get really involved, ICMP is similar. It has protocol types and codes that identify specific ICMP messages. Type 8 = echo, Type 0 = reply. So you can deny all ICMP, or just certain types of ICMP.

So... does deny ip any any deny email, ftp, telnet and ssh too?

Before going into ACLs, you have to understand the component parts:
IP addressing & subnetting
TCP/UDP communication

DCD · September 2013

What book are you using?

workfrom925 wrote: »

The chapter did not get too deep into it, so I'm wondering what specific protocol to block for email? FTP? Telnet? and SSH?

Does "deny IP any any" deny email, ftp, telnet, and ssh too?

What type of ACL would you use to block these protocols?
You really should re-study your protocols and port numbers.

smcclenaghan · September 2013

Yes, "deny ip any any" will block email (smtp tcp/25), ftp (tcp/20 & tcp/21) telnet (tcp/23) and ssh (tcp/22) are all part of TCP which is part of IP.

TCP is the stateful, connection-oriented protocol of IP.
UDP is the stateless, connectionless protocol of IP.
ICMP is for diagnostics (still part of IP).

If you plan to take the ICND1 or ICND2 (or CCNA) you'll need to know the above, but possibly you're studying for a different test and were just asking about ACLs because CCNA covers them too?

workfrom925 · September 2013

From the TCP/UDP port list:

20
TCP
UDP
FTP data transfer
Official

21
TCP

FTP control (command)
Official

22
TCP
UDP
Secure Shell (SSH) — used for secure logins, file transfers (scp, sftp) and port forwarding
Official

23
TCP
UDP
Telnet protocol—unencrypted text communications
Official

24
TCP
UDP
Priv-mail : any private mail system.
Official

25
TCP

Simple Mail Transfer Protocol (SMTP)—used for e-mail routing between mail servers
Official

For me to block FTP access, do I have to block both port 20 and port 21? What if I just block one of the ports?

workfrom925 · September 2013

smcclenaghan wrote: »

If you plan to take the ICND1 or ICND2 (or CCNA) you'll need to know the above, but possibly you're studying for a different test and were just asking about ACLs because CCNA covers them too?

Thanks for your answer. I'm going for CCNA:)

Zartanasaurus · September 2013

Man, I don't even know if I want to introduce you to FTP since that one is a little more complicated, but it's important to know.

FTP Active Mode
The original way of doing FTP before the days of stateful firewalls.

Client initiates control connection to server on TCP port 21.
Connection completes.
Server initiates data connection to client on TCP port 20.

C ---- TCP 21 ---- > S
C <--- TCP 20

S

Now these days you can't do that because of all the stateful firewalls.

FTP Passive Mode
Generally the way things are done now.

Client initiates control connection to server on TCP port 21.
Connection completes.
Server tells Client to initiate a data connection on a 2nd TCP port.
Client initiations data connection to server on the specified TCP port.

C ---- TCP 21

> S
C

TCP XXX ----> S

The 2nd TCP port is generally configured as a range on the server and since the range is known, you can allow those incoming TCP ports on the firewall.

Things get really complicated when you start doing implicit|explicit mode FTPS. My recommendations is to do SFTP since it's much simpler and only one port.

xXErebuS · September 2013

Zartanasaurus wrote: »

Man, I don't even know if I want to introduce you to FTP since that one is a little more complicated, but it's important to know.

FTP Active Mode
The original way of doing FTP before the days of stateful firewalls.

Client initiates control connection to server on TCP port 21.
Connection completes.
Server initiates data connection to client on TCP port 20.

C ---- TCP 21 ---- > S
C <--- TCP 20
S

Now these, days you can't do that because of all the stateful firewalls.

FTP Passive Mode
Generally the way things are done now.

Client initiates control connection to server on TCP port 21.
Connection completes.
Server tells Client to initiate a data connection on a 2nd TCP port.
Client initiations data connection to server on the specified TCP port.

C ---- TCP 21
> S
C
TCP XXX ----> S

The 2nd TCP port is generally configured as a range on the server and since the range is known, you can allow those incoming TCP ports on the firewall.

Things get really complicated when you start doing implicit|explicit mode FTPS. My recommendations is to do SFTP since it's much simpler and only one port.

ALG's in FW's now also allow for FTP Active mode behind the scenes so that is also confusing lol.....

ACL with IP, TCP, UDP, ICMP and others

Comments