DMZ-to-outside Access Lists

Question

I'm learning about firewalls and access-lists, and I'm trying to decide what sort of access list I should have on the DMZ, particularly regarding outbound traffic. There's certain outbound traffic that I don't want to allow - obviously, SMTP should only be allowed to originate from the mail server and so on. However, I've heard that outbound filtering often causes problems if you're too strict, because there's a lot of legitimate resources that can be requested and it's hard to know all of them.

My question is, once I have an ACL that allows things like SMTP only from the mail server and so on, what rules should I put at the end of the ACL to not break everything? Saying

access-list tcp permit any any
access-list udp permit any any
access-list ip permit any any

seems a little insecure. Are there ranges of ports that I can safely close off? Or is a permit any any pretty much my only option?

Thanks!

This is not a firewall, it's a router or switch running IOS – pauska Mar 07 '11 at 21:16 — pauska, Mar 07 '11 at 21:16
My apologies. I'm pretty green in this field. – Nate Mar 07 '11 at 21:27 — Nate, Mar 07 '11 at 21:27

Kyle Brandt · Accepted Answer · 2011-03-07T21:37:53.360

You can use gt and lt in cisco ACLs so you might want something like as the second to last line:

access-list foo permit tcp 192.168.1.0/24 gt 1024 any
access-list foo permit udp 192.168.1.0/24 gt 1024 any

Where 192.168.1.0/24 is your internal network, and you want to allow traffic from unprivileged ports for them. Then the last line is the deny any any.

Depending on the operating systems you might want to change the 1024 to match whatever the bottom of the ephemeral port range is for those OSes.

(Syntax might be off, haven't done Cisco ACLs in a little while)

That being said I don't think having a default permit ACL for egress traffic is a horrible thing to do -- the troubleshooting it might cause might not be worth the added security.

score 1 · Answer 2 · answered Mar 08 '11 at 00:11

If you want to use your router as a firewall, I would highly recommend you move away from "regular" ACLs and configure, depending on your IOS version, either CBAC (Context Based Access Control) or ZBF (Zone-Based Policy Firewall). If you have a recent version of IOS (and a "security enabled image" or what was used to be called "K9" image) I would strongly recommend you take a look at ZBF.

Thing is that regular ACLs are stateless. With this I mean you may fall into problems because, depending on the protocol of the outbound traffic, the router is unable to know what kind of ports it has to open for the returning traffic. FTP is the classic example of this.

As you may know, FTP client negotiates with the server the tcp ports they are going to use for the data transfer inside the "control channel" of FTP. If the router/firewall do not inspect this traffic then it is unable to know which port to open to allow the transfer of data and problems may arise. There are many protocols that fall under this category (voice and video protocols are great examples)

With CBAC, of better yet, with ZBF, this does not happen. They are stateful. With this I mean router is able to inspect the traffic (and potentially discover what udp/tcp ports are being negotitated) and because of this the router "knows" which ports to open from whom to whom to allow the communication happen and even more important from a security point of view, when to dynamically close them.

DMZ-to-outside Access Lists

2 Answers2