Re: Firewalls in service provider environments

8 Feb 2012

      ...
On Wed, Feb 8, 2012 at 9:25 AM, Matthew Reath <matt@mattreath.com> wrote:
...
Good point. Adding in an established entry, although may open you up for
TCP/SYN sort of packets is a better trade off than affecting customer
traffic.
'established' is explicitly NOT 'syn' ...
maybe you meant 'ack flood' ? (or rst flood? or .... but certainly not
syn flood)
If I had an 'established' entry on an inbound ACL to filter traffic coming
from my upstream provider wouldn't SYN ACK (2nd step in handshake) packets
be allowed to pass the ACL because of this?

But I see your point a connection initiation from external sources with
just the SYN flag set would not be allowed.  However if a session is
initiated internally the returning SYN ACK from the external server would
be allowed as would ACK and data packets with ACK set.