Jump to content
Welcome to our new Citrix community!

Creating an ACL?


Ross Helfand

Recommended Posts

HI all,

 

This seems like it should be really easy but I can't get it working.  We recently configured BGP on some new Netscalers we got, and for some reason port 179 is open externally which is tripping up one of our security scans.


So I created an ACL like so:

add ns acl drop_bgp DENY -destIP = XX.XX.XX.XX -destPort = 179 -protocol TCP

And yes, I did enable and apply the ACL.  However, I can still get there from outside if I telnet to port 179 on that IP.  And I don't see any "hits" when looking at the ACL in the GUI.

 

The IP address in the ACL is a SNIP on the Netscaler, I'm not sure if that makes any difference.

add ns ip XX.XX.XX.XX 255.255.255.0 -vServer DISABLED -telnet DISABLED -ftp DISABLED -gui DISABLED -ssh DISABLED -snmp DISABLED -dynamicRouting ENABLED

Am I missing something obvious?

 

Thanks!

Link to comment
Share on other sites

Thanks for the replies!

 

51 minutes ago, ramanka said:

Did you run the scan on NSIP or SNIP?

 

Can you try adding the acl with just destport as 179.? 

 

add ns acl drop_bgp DENY -destPort = 179 -protocol TCP

apply nsacls

 

Yes, I did try this, and got the same result.

 

45 minutes ago, Valeri Bonchev said:

Looking at the output of the  add ns ip command. What you are seeing is most likely expected. You have dynamic routing enabled on the IP. This will mostly likely override any ACL to prevent one from braking admin access by enabling such ACLs. 

 

This is interesting.  I don't need Admin access on this particular SNIP.  Maybe I can disable dynamicrouting?  I will have to poke around some more.

 

Link to comment
Share on other sites

  • 2 years later...

The -dynamic routing enabled has no bearing on the ACL discussed here. The behavior is controlled by enabling and disabling BGP on the ADC which will cause the ADC to start listening for BGP traffic. The set l3param -implicitACLAllow DISABLED overrides the behavior for internal processes and the ACL will be honored. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...