dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
793
share rss forum feed


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

[CCNA] Explicit deny in ACL's

All training seems to claim a explicit deny at the end of cisco ACL's but in my experience its not there.

once when I left off the "deny any any" I got blacklisted as an open proxy.

so now I'm wondering why is the explicit deny still mentioned when it seems to not be there atleast sometimes.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv

HELLFIRE
Premium
join:2009-11-25
kudos:18
said by DarkLogix:

once when I left off the "deny any any" I got blacklisted as an open proxy.

Not sure where this came from, but the "deny any any" is hidden from a "show run," if that's what
you mean.

Otherwise, it's operation can easily be shown any number of ways where an ACL's called to match
something, and when the value to match isn't present, it simply hits the "deny any any."

My 00000010bits

Regards

markysharkey
Premium
join:2012-12-20
united kingd
Yup, it's not visible. If you add in the line "deny any any" then you actually have two of them. And as Hellfire says, it's easy to prove. Look elsewhere for the reasons you were blacklisted. Maybe a machine in your network has been infected with a trojan and is part of a bot-net or similar. It happens...
--
Binary is as easy as 01 10 11


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
said by markysharkey:

Yup, it's not visible. If you add in the line "deny any any" then you actually have two of them. And as Hellfire says, it's easy to prove. Look elsewhere for the reasons you were blacklisted. Maybe a machine in your network has been infected with a trojan and is part of a bot-net or similar. It happens...

Oh it wasn't recently it was long ago but using a checker the only way to fix it was adding a deny any any to the nat ACL's

I don't mean about it being visible or not but it not seeming to be functional.

In my experience there seems to be a "permit any any" instead.

back that one time I got blacklisted for being an open proxy it verified that without an added "deny any any" anyone on the net could slip in and get nated by my router.

also back then there was only one machine on my network and ya when it happened I ran every scan (it was some odd sites that had an open proxy blacklist and the only resolution was adding "deny any any" to the nat ACL)

thus why I ask why while books say it should function like there's a "deny any any" at the end it doesn't

even once at work an ACL wasn't acting as expected till a "deny any any" was added. (because we assumed the mystical Explicit deny)

if it were there then I wouldn't still have to add deny any to the end of my nat ACL's
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv

markysharkey
Premium
join:2012-12-20
united kingd
said by DarkLogix:

also back then there was only one machine on my network and ya when it happened I ran every scan (it was some odd sites that had an open proxy blacklist and the only resolution was adding "deny any any" to the nat ACL)

You may have had an order of operations issue. usually on internet facing networks you would have
no ip proxy-arp
 
configured. If the interface is replying to ARP's it may still be denying "traffic" but ARP's are being answered, but I don't actually know if this is the case.
--
Binary is as easy as 01 10 11


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
well due to what I have experienced I always add a deny any at the end

Network Guy
Premium
join:2000-08-25
New York
kudos:2
Reviews:
·Future Nine Corp..
·T-Mobile US
·Optimum Online
I run an 1841 behind my cable modem with an assorted variety of services on my Windows box. I've never been hit with a blacklist. I do get plenty of connection attempts to my Asterisk server, sufficiently so to warrant a separate ACL that explicitly forbids all inbound SIP traffic except from the SIP providers I use.

I would check the hosts inside and find out who's playing dirty. It's typical to build a fortress at the outer edge of the perimeter, and disregard the walls within.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
well back when it happened I turned off all but the router and then used the site that the blacklist referred me to to check if it was still accepting internet users into NAT, and it was.

its been along time and I don't even recall what site it was that was using an openproxy blacklist but I know adding that deny fixed it and that I've put it on the tail of all my ACL's since.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv

Network Guy
Premium
join:2000-08-25
New York
kudos:2
When you say that the site you went to said you're still accepting internet users into NAT, what does that mean?

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to DarkLogix
said by DarkLogix:

back that one time I got blacklisted for being an open proxy it verified that without an added "deny any any" anyone on the net could slip in and get nated by my router.

Crazy question, but you wouldn't happen to have the config and exact URL / etc. to replicate it, would you? My troubleshooting sense are
tingling and I'd love to replicate it and see for myself exactly what it's doing... just from an interest perspective.

said by DarkLogix:

thus why I ask why while books say it should function like there's a "deny any any" at the end it doesn't

Think we've all been around long enough to know that "what the book says" and "what happens in the field" rarely matches up DarkLogix See Profile.

Regards

markysharkey
Premium
join:2012-12-20
united kingd
My experience is the opposite. The implicit deny all seems to work too well, in so far as I have never had it not work and find myself forehead slapping when I forget to explicitly permit a service I need.
--
Binary is as easy as 01 10 11


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to HELLFIRE
said by HELLFIRE:

Think we've all been around long enough to know that "what the book says" and "what happens in the field" rarely matches up

except when, you know, it does -- as in this case.
its easy to verify.
set up a blank acl (or a single host acl). test it for incoming, outgoing firewalls rules, test it on nat, test it on a route-map.
it will fail.
every.
single.
time.

anecdotal evidence of something a long time ago about something we can't verify with a config that can't be referenced -- i'm highly skeptical to say the least.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to DarkLogix
If we're talking IOS 9 or 10, maybe. Nothing you could download from Cisco today would function like that; all ACLs default to "deny" if no rule matches.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to DarkLogix
Its actually implicit.

Implicit means that, if no other rules in the ACL match, the very last action is to deny.

To be explicit means you must configure it. And thats why you only see it some times and not others - some examples have an explicit deny rule configured at the end, others rely on the implicit action to deny at the end.

Configuring an explicit deny can be useful by allowing you to count the number of packets that dont match any other rules in the ACL. Otherwise, if all you want to do is deny if no other rule matches, then you do not need to configure a deny.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to HELLFIRE
said by HELLFIRE:

Crazy question, but you wouldn't happen to have the config and exact URL / etc. to replicate it,

I wish I did but that was well over 5 years ago, its just that the incidence is burned into my memory.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to tubbynet
said by tubbynet:

anecdotal evidence of something a long time ago

I guess it might have been some IOS bug (they are known to happen.)
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to TomS_
said by TomS_:

Configuring an explicit deny can be useful by allowing you to count the number of packets

So then if we assume that the incident in my memory was a fluke (an IOS bug or something) then would this mean that having a manually added deny would add memory usage as it'd have to count?

I'm thinking of removing the deny I put on my NAT ACL's and just waiting to see if it ever happens again.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to DarkLogix
said by DarkLogix:

I guess it might have been some IOS bug (they are known to happen.)

assuming that it wasn't some other misconfiguration that was done. those have been known to happen much more frequently than bugs.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to DarkLogix
Minimal extra memory usage, since its only adding one extra counter. That might consume 32-64 bits perhaps for the integer itself, and a few extra bytes for the data structure that points to that integer. We're probably talking less than 30 bytes.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to DarkLogix
And admittedly I didnt read the whole thread.

Where did you get black listed? What kind of service black listed you? This could point to other problems, otherwise this would be the first time Ive ever heard of someone being black listed over their NAT configuration??

Network Guy
Premium
join:2000-08-25
New York
kudos:2
I've read about getting on a DNSBL list for running a mail server behind an IP address known to be assigned for residential service, but that's a new one for me as well.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to TomS_
said by TomS_:

And admittedly I didnt read the whole thread.

Where did you get black listed? What kind of service black listed you? This could point to other problems, otherwise this would be the first time Ive ever heard of someone being black listed over their NAT configuration??

There was some forum that used an open proxy blacklist

seems that forum didn't want multiple users from one IP so they used a list of open proxies to block any user from registering if from an IP that was marked as an open proxy.

it was long ago, but on the deny page it pointed to the site that maintained the blacklist which also had a test site and the only thing I could do back then to get that test to be clear was add the deny entry, and on passing the test it would remove you from the blacklist.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
What kind of open proxy (which protocol) did they have a problem with?


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
said by TomS_:

What kind of open proxy (which protocol) did they have a problem with?

IIRC the blacklist site claimed that a NAT misconfig was allowing them to relay traffic through my router and get NATed by my router.

the only thing that got the blacklist tester to say it was good was adding a deny to the end of the nat ACL
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
Well thats just wtf. I cant begin to imagine how on earth they could identify something like that.

They would have to litterally be sitting at the other end of your WAN link, sending packets to your router with a different destination address to your router, such that your router would NAT them, and then on the way back de-NAT (is that even a term?) and send back to them on the other side of the WAN link.

Otherwise, how on earth are they sending packets to your router over the greater internet from more than 1 hop away, when the intermediate routers are just going to route the packet to the destination address in the packets???

The only other way I can think to do this is over a tunnel. But its a highly unlikely situation requiring lots of hackery, and not likely to be a widely enough exploitable thing to worry about.

So indeed a very odd thing, I would like to know more...

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to DarkLogix
That is 100% Certified Angus Beef(TM) Bull Shit. Cisco routers will not hairpin traffic. esp. by accident.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to TomS_
said by TomS_:

So indeed a very odd thing, I would like to know more...

Ya
it was weird and when it happened I was like WTF.
IIRC it was on a 2651 router back around 2006 or so. (maybe a bit earlier)

I would guess they'd have to give themselves some funky rout that let them know of the hops from them to me then give a default route of my router.

But ya if I could find that site again I think I'd try to figure out how they were checking.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
"ip source-route"??? That's the only simple way to get traffic to enter and then turn around a leave the same interface. Even in '06 you should've had that turned off.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
But having a NAT ACL of
permit 10.0.0.0 0.0.0.255

should have only allowed my traffic to be nated (I don't think that other command was there but still.) If the implicit deny was functioning right I should never have had to change it to

Permit 10.0.0.0 0.0.0.255
Deny any
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to DarkLogix
said by DarkLogix:

said by cramer:

said by TomS_:

said by DarkLogix:

said by TomS_:

What kind of open proxy (which protocol) did they have a problem with?

IIRC the blacklist site claimed that a NAT misconfig was allowing them to relay traffic through my router and get NATed by my router.

the only thing that got the blacklist tester to say it was good was adding a deny to the end of the nat ACL

Well thats just wtf. I cant begin to imagine how on earth they could identify something like that...

That is 100% Certified Angus Beef(TM) Bull Shit. Cisco routers will not hairpin traffic. esp. by accident.

it was weird and when it happened I was like WTF.
IIRC it was on a 2651 router back around 2006 or so. (maybe a bit earlier)

I'm with TomS_ See Profile and cramer See Profile on this... taking it as a 2651 with a standard NAT inside / outside setup, not sure
how a packet inbound on the OUTSIDE interface could suddenly be taken by IOS to be coming on the INSIDE interface and then
sent to the ACL for processing...UNLESS IOS just has that deep of a bug(gy behavior) in it, or someone is just that much
of a hacker-fu master on packet forging / source-routing / tunneling / etc.

...and as we established earlier, default deny should kill anything not matching the specified criteria of the ACL.

I'm REALLY scratching my head now.. but hey even if you can't find the URL, could always lab this up somehow... I'm thinking a NAT inside / outside ISR, ip source routing turned on, then someone else sending forged / tunneled packets towards you that matches the NAT acl, then seeing the results...

Regards