address and wildcard mask combinations are difficult to get wrong. More complex wildcard masks can also be used to select patterns of addresses. For example, the address 10.0.32.0 and wildcard mask 0.0.32.15 would select the first 15 host addresses in either the 10.0.0.0 network or the 10.0.32.0 network. Complex wildcard masks like this can provide significant improvements in efficiency, especially in large networks with structured and controlled IP addressing schemes. They also require that the network engineer have detailed and thorough knowledge of the network address when designing these complex access list elements. Selection of transport layer protocol
When configuring ACLs, it is important that only the correct transport layer protocols be specified in the element. Many network engineers, when unsure if a particular traffic flow uses a TCP port or a UDP port, will configure both. The first problem with doing this is that it opens a hole through the firewall, possibly giving intruders an avenue into the network. The other problem is that it introduces an extra element into the ACL. This means the ACL takes longer to process, introducing more latency into network communications. Network engineers might also make a mistake and unintentionally configure an ACL to use the incorrect transport layer protocol. For example, an ACL may be intended to permit HTTP traffic, but be configured with UDP port 80 (instead of TCP port 80). Source and destination port(s)
Correctly specifying source and destination ports is usually fairly simple, but can be quite complex. In one example of a simple traffic flow, the client end of the connection uses a random high-numbered port to initiate a connection to a specific port at the server-end. Defining the correct source and destination ports is not overly complex in this situation. A more difficult concept is understanding the flow of traffic between two hosts and building the ACLs to properly control the traffic. Simple traffic flows require symmetric access control elements for inbound and outbound access lists. In other words, address and port information for traffic generated by a replying host is the mirror image of address and port information for traffic generated by the initiating host. Examine these descriptions of a simple e-mail traffic flow traversing a firewall router to understand the relationship for addresses and ports between initiating and responding traffic:

1. A user wants to check his e-mail on a remote ISP mail server.
2. The client PC opens the mail client and initiates a connection to a POP3 mail server.
3. The request for new mail is generated and sent by the client PC.

• The source address of the request packets is the IP address of the client PC.
• The source port of the request packets will be randomly chosen from above 1024 (for example, TCP port 2113).
• The destination address of the request packets is the IP address of the mail server.
• The destination port of the request packets is TCP port 110 (the POP3 mail server).

1. The packets traverse the LAN, get to the firewall router, and are processed by the access list controlling outbound traffic on the external router port.

• A control element permitting traffic from any port with an internal address to TCP port 110 on the ISP mail server address is configured near to the top of the access list.
• The ‘request for mail’ traffic matches this element and is allowed through the firewall router.

1. Having satisfied an element of the outbound access list, the router forwards the traffic to the next hop on the way to the ISP mail server.
2. The ISP mail server has mail waiting for the user. When the ISP mail server receives the request, the mail server responds with the mail items it has for the user. Because the traffic is now returning to the client PC, the address and port information from the request packets have the source details swapped with the destination details.

• The source address of the reply packets is the IP address of the ISP mail server.
• Because the reply is coming from the POP3 mail server, the source port of the reply packets is TCP port 110.
• The destination address of the reply packets is the IP address of the client PC.
• The client PC needs to know which process to pass the reply packets to when it receives them. This means the destination port of the reply packets is set as TCP port 2113.

1. The mail server sends the reply packets onto the Internet and they eventually get back to the firewall router. The traffic must satisfy an element of the access list controlling inbound traffic on the external router port before being forwarded to the LAN.

• A control element permitting traffic from TCP port 110 from the IP address of the ISP mail server to any port on any internal IP address is configured near to the top of the access list.
• The ‘reply with mail’ traffic matches this element and is allowed through the firewall router.

1. The ‘reply’ traffic reaches the client, where the mail items are displayed by the e-mail client software.

Other traffic flows are quite involved and network engineers must understand these flows before attempting to control them using access lists. One such complex traffic flow is the File Transfer Protocol, better known as FTP. FTP uses TCP at the transport layer and is associated with two port numbers. They are ports 20 and 21. TCP port 21 is used for FTP control messages, while TCP port 20 is used for FTP data messages. When an FTP client connects to an FTP server, a control session is established. The port used at the client end will be randomly chosen from port numbers above 1023, and the port used to reference the server end will be TCP port 21. When the user-based application issues a ‘get’ command to the FTP client, it is requesting a file from the FTP server. This file must be transferred using an FTP data connection so that the user-based application can still control the FTP server and interrupt the file transfer if necessary. The FTP client binds to an additional local port (above 1024), and sends this information to the FTP server through the FTP control connection. The server responds by attempting to open a connection with a source port of TCP port 20 and the destination port supplied by the FTP client. This process requires that the firewall router controlling this traffic would need to have a single element permitting outbound traffic to TCP port 21 for FTP control data, but would require two elements to allow inbound traffic. The first element would need to allow reply FTP control traffic from TCP port 21 on the FTP server. The other element would need to allow new FTP data traffic from TCP port 20 on the FTP server. Use of the ‘established’ keyword
In a TCP session, all packets after the first have the ACK bit set. The initiating host sets the SYN bit of the first packet to on but does not set the ACK bit. Subsequent packets have both bits set to on. Using the "established" keyword means a packet must match the specified source and destination IP addresses and ports and must also have the ACK bit set before a complete match is possible. This characteristic of TCP packets in a connection can be used by an access list to control the allowed source of sessions. For example, an access list watching inbound traffic may have an element to permit traffic from a remote Telnet server (source port TCP port 23). By adding the ‘established’ keyword to this element, the access list can be configured to permit traffic from a remote Telnet server, but only if the Telnet connection was initiated from inside the firewall router. Obviously, the established keyword can be used to increase the security provided by an access list. If this established keyword is applied to an outbound access list, unexpected results may occur. Again, network engineers need to have a thorough understanding of network traffic flows before