cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Configuration to have ACL deny act like iptables REJECT instead of DROP?

Currently we are using Adtran 1335's in the field as simple router / firewall combos on secured networks.  What we are looking for is to change the default behavior of our firewall ACLs so that the Adtran doesn't simply drop the traffic (which eventually results in an application timeout on the client side) but instead responds immediately with RST/ACK (when using TCP) or an ICMP port unreachable (when using UDP).  This configuration change would be done on the LAN interface and would make our applications much more responsive in the situation that a specific destination is blocked by ACL rules.

Essentially, in iptables format, I would want:

iptables -A INPUT -j REJECT

instead of:

iptables -A INPUT -j DROP

Labels (1)
0 Kudos
Reply
3 Replies
Highlighted
Contributor III
Contributor III

Re: Configuration to have ACL deny act like iptables REJECT instead of DROP?

Can you post the policy-class configuration and ACL (masking real IP address info, of course)?

0 Kudos
Highlighted
Contributor III
Contributor III

Re: Configuration to have ACL deny act like iptables REJECT instead of DROP?

The ACL is used more like a traffic identifier, where the policy-class actually does the policing of traffic. 

For example:

ip access-list extended sample1

remark Sample ACL

deny udp 192.168.0.0 0.0.255 8.8.8.8 eq 53 log

permit tcp any 8.8.8.8 eq 53 log

ip policy-class Private

allow list sample1 overload policy Public

In this example, Host on the network 192.168.0.0/24 are not allowed to make DNS requests to host 8.8.8.8, but all other hosts in the Private policy-class are allowed.  Packets from 192.168.0.0/24 will be dropped.

Another way to do it:

!

ip access-list ext sample1

  remark Allowed to Google DNS

  permit udp any any eq 53 log

!

ip access-list ext sample2

  remark No access to Google DNS

  permit udp 192.168.0.0 0.0.0.255

!

ip policy-class Private

discard list sample2 overload policy Public

allow list sample1 overload policy Public

!

In this example, the network 192.168.0.0/24 is being explicitly denied, so the packets are rejected. 

I'm not sure if this is what you are looking for, but it is a better way to deny network traffic.  An Adtran Engineer would have to tell us if the packets are dropped vs. rejected when using discard in the policy-class vs. deny in the ACL.

jayh​ may be able to definitively answer that. 

0 Kudos
Highlighted
Honored Contributor
Honored Contributor

Re: Configuration to have ACL deny act like iptables REJECT instead of DROP?

As I understand it the goal is to generate a "connection refused" or similar immediate response that the destination host isn't going to connect on that port, as opposed to silently dropping the traffic. I haven't labbed this, but perhaps a route-map would work.

As a rule, from a security viewpoint, silently dropping the traffic is preferred as it doesn't convey any information that the host address is alive. However for a backup path scenario I can see where an immediate response that the service is not available would be preferred in some cases.

Try this. Create an ACL matching the traffic you want to reject and route it to the null interface, then allow all else to be normally routed. This should result in an unreachable response for the denied traffic. Example: 192.168.0.0/24 isn't permitted to browse the web, all else allowed.

ip access-list extended web-list

  permit tcp 192.168.0.0 0.0.0.255 any eq 80

  permit tcp 192.168.0.0 0.0.0.255 any eq 443

route-map no-web-map  permit 10

  match ip address web-list

  set interface null 0

route-map no-web-map permit 20

Then apply the route map to the appropriate incoming interface(s).

0 Kudos