HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 244

Applying Access Control to Router Interfaces
Using ACLs Alone to Configure Access Control
N o t e
5-24
If the Secure Router OS firewall and the FTP ALG are enabled, you do not
have to configure an entry to allow traffic on FTP data port (21). The FTP ALG
automatically allows the return traffic for established FTP sessions. For more
information about ALGs, see Chapter 4: ProCurve Secure Router OS Fire-
wall—Protecting the Internal, Trusted Network.
You may also want to permit Domain Name System (DNS) traffic on WAN
interfaces that are connected to the Internet. To permit DNS traffic, enter:
ProCurve(config-ext-nacl)# permit tcp any any eq domain
You would apply this ACL to the WAN interfaces on which you want to enforce
this access control.
Permit Routing Updates. When you configure ACLs, remember that any
traffic that you do not explicitly permit will match the implicit "deny any" entry
at the end of the ACL. If you have configured a routing protocol and routing
updates are being sent to a router interface, you should ensure that these
routing updates are permitted by the ACL you assign to that interface. For
example, to permit routing information protocol (RIP) updates, enter:
ProCurve(config-ext-nacl)# permit udp any any eq rip
To permit border gateway protocol (BGP) updates, enter
ProCurve(config-ext-nacl)# permit tcp any any eq bgp
You would apply the ACL to the interface on which you want to permit routing
updates.
Permit Traffic from Specific Networks. You may want to restrict access
to specific networks. For example, you may want to permit traffic from
10.1.1.0 /30, but deny traffic from 192.168.115.0 /24. To configure entries for
this access, enter:
ProCurve(config-ext-nacl)# permit ip 10.1.1.0 0.0.0.3 any
ProCurve(config-ext-nacl)# deny ip 192.168.115.0 0.0.0.255 any
Again, you would apply the ACL to the appropriate interface.