3 Replies Latest reply on Jul 18, 2017 8:18 PM by jayh

    Configuration to have ACL deny act like iptables REJECT instead of DROP?

    ejarosek New Member

      Currently we are using Adtran 1335's in the field as simple router / firewall combos on secured networks.  What we are looking for is to change the default behavior of our firewall ACLs so that the Adtran doesn't simply drop the traffic (which eventually results in an application timeout on the client side) but instead responds immediately with RST/ACK (when using TCP) or an ICMP port unreachable (when using UDP).  This configuration change would be done on the LAN interface and would make our applications much more responsive in the situation that a specific destination is blocked by ACL rules.

       

      Essentially, in iptables format, I would want:

      iptables -A INPUT -j REJECT

      instead of:

      iptables -A INPUT -j DROP

        • Re: Configuration to have ACL deny act like iptables REJECT instead of DROP?
          vmaxdawg05 Past_Featured_Member

          Can you post the policy-class configuration and ACL (masking real IP address info, of course)?

          • Re: Configuration to have ACL deny act like iptables REJECT instead of DROP?
            vmaxdawg05 Past_Featured_Member

            The ACL is used more like a traffic identifier, where the policy-class actually does the policing of traffic. 

            For example:

             

            ip access-list extended sample1

            remark Sample ACL

            deny udp 192.168.0.0 0.0.255 8.8.8.8 eq 53 log

            permit tcp any 8.8.8.8 eq 53 log

             

            ip policy-class Private

            allow list sample1 overload policy Public

             

            In this example, Host on the network 192.168.0.0/24 are not allowed to make DNS requests to host 8.8.8.8, but all other hosts in the Private policy-class are allowed.  Packets from 192.168.0.0/24 will be dropped.

             

            Another way to do it:

            !

            ip access-list ext sample1

              remark Allowed to Google DNS

              permit udp any any eq 53 log

            !

            ip access-list ext sample2

              remark No access to Google DNS

              permit udp 192.168.0.0 0.0.0.255

            !

            ip policy-class Private

            discard list sample2 overload policy Public

            allow list sample1 overload policy Public

            !

             

            In this example, the network 192.168.0.0/24 is being explicitly denied, so the packets are rejected. 

             

            I'm not sure if this is what you are looking for, but it is a better way to deny network traffic.  An Adtran Engineer would have to tell us if the packets are dropped vs. rejected when using discard in the policy-class vs. deny in the ACL.

             

            jayh may be able to definitively answer that. 

              • Re: Configuration to have ACL deny act like iptables REJECT instead of DROP?
                jayh Hall_of_Fame

                As I understand it the goal is to generate a "connection refused" or similar immediate response that the destination host isn't going to connect on that port, as opposed to silently dropping the traffic. I haven't labbed this, but perhaps a route-map would work.

                 

                As a rule, from a security viewpoint, silently dropping the traffic is preferred as it doesn't convey any information that the host address is alive. However for a backup path scenario I can see where an immediate response that the service is not available would be preferred in some cases.

                 

                Try this. Create an ACL matching the traffic you want to reject and route it to the null interface, then allow all else to be normally routed. This should result in an unreachable response for the denied traffic. Example: 192.168.0.0/24 isn't permitted to browse the web, all else allowed.

                 

                ip access-list extended web-list

                  permit tcp 192.168.0.0 0.0.0.255 any eq 80

                  permit tcp 192.168.0.0 0.0.0.255 any eq 443

                 

                route-map no-web-map  permit 10

                  match ip address web-list

                  set interface null 0

                route-map no-web-map permit 20

                 

                Then apply the route map to the appropriate incoming interface(s).