> # Cisco novice question: is it possible to enable filtering for packets
> # inbound/outbound through the internet interface, but disabled for all
> # other interfaces? In other words, filter all internet traffic but allow
> # all internal subnet-subnet traffic to pass unfiltered? I guess the
> # internet traffic would still bog down the router anyway, though.
>
> No. On a Cisco, you can only filter packets as they're outgoing on
> some interface. Thus, you have to put filters on _all_ the interfaces
> to use a Cisco in a typical firewall system. If it's a
> multi-interface box that you want to use for internal routing as well
> as your Internet connection (a box with 1 serial port for the Internet
> line and 2 ethernet ports for internal networks, for instance), having
> to set up filters on all the ethernet ports kills the ether-to-ether
> routing performance.
The next software release, known as 9.21 and scheduled for 1Q94, will
also provide inbound access-lists, i.e., access-lists that apply to
the inbound interface. As you correctly pointed out, current access lists
apply to the interface on which the packet is leaving the router.
> In my opinion, this is one of the 2 major flaws in Cisco's
> otherwise-good packet filtering scheme. The other is that they don't
> let you look at TCP or UDP source ports.
Yes, the latter is on the wish list for future development.
I don't have a date for it, yet, unfortunately.
Roland Acra
Cisco Systems, Europe
References:
|
|
