T2600G-28TS Time Range and ACL

Re:T2600G-28TS Time Range and ACL
2019-12-07 09:16:40

@R1D2 @Mitya 

 

After a good nights sleep, let me please restate my assumptions:

 

- ACLs get evaluated like a queue top-to-bottom, so that the first rule with either a permit or deny decides the fate of a given packet

- cosequently, the finer tuned ACLs need to go up front, the broader ones to the bottom

- with a whitelisting approach, a catch-all deny-all rule must close the queue in order to deny everything not explicitly whitelisted

- this could have been done with an explicit rule, but TP-Link has attached a similar rule invisible/by default

 

I see the benefit of whitelisting in contrast to blacklisting, as I have more explicit control over what is allowed in terms of direct visibility instead of plugging all thinkable holes with blacklisting. But this implicit rule whitelisting approach is, at least, surprising...

 

OTOH, a similar blacklisting approach would work without an implicit catch-all, as everything not covered by the rules would be allowd by definition. But handling is more complicated, as exceptions must be very finely tuned without overlapping rules.

 

I am sure that this information is somewhere hidden in the manual, but I did not have any inclination to search because this comes unexpected. 

 

This also clears up my initial time range problem.

 

Thanks to you all

Michael

0
0
#12
Options
Re:T2600G-28TS Time Range and ACL
2019-12-07 12:48:09 - last edited 2019-12-07 13:12:51

 

Mike63 wrote

- ACLs get evaluated like a queue top-to-bottom, so that the first rule with either a permit or deny decides the fate of a given packet

- cosequently, the finer tuned ACLs need to go up front, the broader ones to the bottom

 

Every firewall, every ACL mechanism and even every single instruction processed by a dumb piece of silicon such as a CPU needs to obey a certain order of evaluation which needs to be defined as a policy somewhere. Even humans do sometimes need a policy which defines order of evaluation, e.g. in the mathematical expression: 4 + 3 × 10.

 

- with a whitelisting approach, a catch-all deny-all rule must close the queue in order to deny everything not explicitly whitelisted

- this could have been done with an explicit rule, but TP-Link has attached a similar rule invisible/by default

 

Every switch from any vendor always does this. If there is no explicit rule at the end of a processing chain (no matter what it is), an action must follow. Even if there would be no (explicit or implicit!) action at all, there is a default action, too. And since it is up to the vendor what's the default action is, you should always state it explicitly, so you can use the same logic on any other switch without changing the rules.

 

Pure logic tells you this:

 

If a rule matches, it can terminate the set of rules or it can continue to apply more rules. In case of ACLs the policy defines to terminate the processing of the ruleset. If a rule doesn't match, the system continues applying rules. At the end, if no rule has matched, there is an action, too, the default action. »Do nothing« does not mean that the switch does nothing, it is just you who is guessing whether »do nothing« means processing the packet or not processing the packet. Both actions are still actions, you have to tell the switch what to do in order to do »nothing«.

 

It's even the same with humans: If your kids ask you whether thye are allowed to play games at night, you narrow the time range (allow them nightly gaming only at Sat/Sun and only between 00:00 and 01:00) and you define a default policy for the time period which follows (got to bed), else your kids could say you allowed gaming between 00:00 and 01:00, but you didn't forbid it between 01:00 and XX:YY either. In this case, the word »nur« (only) defines the default policy. Just translate this rules into an ACL and there you are.

 

My parents once did run crazy when I was told by them that the kid's room lamp has to be turned off at 20:30 and I discovered that a torch under the bedcover is enough to continue reading exciting thrillers while still obeying their rule. :-)

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
0
#13
Options