Randy, thank you for the reminder to look also at what services (L4
ports) should be generally blocked.
As I was implementing a similar rule for logging purposes, I discovered
an oddity with $VENDOR_C_XR ACLs. I created the following:
object-group port TCPUDP-BLOCKED
eq 0
eq sunrpc
eq 445
range 137 139
exit
ipv4 access-list IPV4-INET-IN
10 remark BCP 84 for transits, IX, and peering
101 remark *** Block bogon networks as src or dest ***
110 deny ipv4 net-group IPV4-BOGON any
111 deny ipv4 any net-group IPV4-BOGON
201 remark *** Blocked protocols PERMIT FOR NOW ***
210 permit udp any port-group TCPUDP-BLOCKED any log
211 permit udp any any port-group TCPUDP-BLOCKED log
212 permit tcp any port-group TCPUDP-BLOCKED any log
213 permit tcp any any port-group TCPUDP-BLOCKED log
[snip]
ipv4 access-list IPV4-INET-OUT
10 remark BCP 84 for transits, IX, and peering
101 remark *** Block bogon networks as src or dest ***
110 deny ipv4 net-group IPV4-BOGON any
111 deny ipv4 any net-group IPV4-BOGON
201 remark *** Blocked protocols PERMIT FOR NOW ***
210 permit udp any port-group TCPUDP-BLOCKED any log
211 permit udp any any port-group TCPUDP-BLOCKED log
212 permit tcp any port-group TCPUDP-BLOCKED any log
213 permit tcp any any port-group TCPUDP-BLOCKED log
[snip]
After I did this, logs on our syslog server started growing like crazy.
It was full of entries like:
2020-10-21T01:47:17-05:00,info,RP/0/RSP1/CPU0:Oct 21 01:47:17.972 CDT:
ipv4_acl_mgr[305]: %ACL-IPV4_ACL-6-IPACCESSLOGP : access-list
IPV4-INET-OUT (210) permit udp on.net.ip.adr(0) -> off.net.ip.adr(0), 5
packets
2020-10-21T02:01:08-05:00,info,RP/0/RSP0/CPU0:Oct 21 02:01:08.490 CDT:
ipv4_acl_mgr[263]: %ACL-IPV4_ACL-6-IPACCESSLOGP : access-list
IPV4-INET-IN (210) permit udp off.net.ip.adr(0) -> on.net.ip.adr(0), 58
packets
After wondering why in the world my customers were sending so much data
on port 0, I found a few different sources saying that port 0 is
commonly used in place of valid information when dealing with fragments.
Turns out that $VENDOR_C_XR does this too.
It wasn't clear why fragments would be matching that rule until I found
the right vendor doc. The router will pass IP fragments with a "permit"
ACL line as long as that fragment's layer 3 info matches the layer 3
information in the ACL. The router logs the packet similar the above:
L4 protocol with source and dest port = 0. From the doc:
-----
For an access-list entry containing Layer 3 and Layer 4 information:
• The entry is applied to non-fragmented packets and initial fragments.
• If the entry matches and is a permit statement, the packet or
fragment is permitted.
• If the entry matches and is a deny statement, the packet or fragment
is denied.
The entry is also applied to non-initial fragments in the following
manner. Because non-initial fragments contain only Layer 3 information,
only the Layer 3 portion of an access-list entry can be applied. If the
Layer 3 portion of the access-list entry matches, and
• If the entry is a permit statement, the non-initial fragment is
permitted.
• If the entry is a deny statement, the next access-list entry is
processed.
The deny statements are handled differently for non-initial
fragments versus non-fragmented or initial fragments.
-----
Since my rule's L3 info was permit any source to any destination, any IP
fragment would match the rule, be passed, and be logged. The solution
was to add rules explicitly permitting fragments above the layer 4
rules:
ipv4 access-list IPV4-INET-IN
10 remark BCP 84 for transits, IX, and peering
101 remark *** Block bogon networks as src or dest ***
110 deny ipv4 net-group IPV4-BOGON any
111 deny ipv4 any net-group IPV4-BOGON
201 remark *** Blocked protocols PERMIT FOR NOW ***
203 permit ipv4 net-group IPV4-CUST any fragments
204 permit ipv4 net-group IPV4-BACKDOOR-HOSTS any fragments
205 permit ipv4 any net-group IPV4-BGP-AGG fragments
206 permit ipv4 any net-group IPV4-CUST fragments
210 permit udp any port-group TCPUDP-BLOCKED any log
211 permit udp any any port-group TCPUDP-BLOCKED log
212 permit tcp any port-group TCPUDP-BLOCKED any log
213 permit tcp any any port-group TCPUDP-BLOCKED log
Logs are a lot calmer now in terms of new lines per minute, and far more
relevant. When we switch those rules to deny statements, we can
eliminate the rules specifically permitting fragments.
Looks like $VENDOR_J makes things so much simpler for this task.
Thanks,
-Brian
On 2020-10-20 00:18, Randy Bush wrote:
term blocked-ports {
from {
protocol [ tcp udp ];
first-fragment;
destination-port
[ 0 sunrpc 135 netbios-ns netbios-dgm netbios-ssn 111 445 syslog
11211];
}
then {
sample;
discard;
}
}
and i block all external access to weak devices such as switches, pdus,
ipmi, ...
randy