Tech Click

← all labs

Firewall ACL — Will the Packet Pass?

Medium Firewall · 25 min

Flag submissions require login via tc_sso. Reading instructions does not.

Firewall ACL — Will the Packet Pass?

Scenario

A stateful firewall has the ACL shown in the right pane. Four packets are about to hit the WAN→LAN interface. Decide for each whether the firewall permits (P) or drops (D) it under standard first-match-wins semantics with an implicit deny-all at the end.

Packets to trace

  1. tcp 203.0.113.55:54123 → 10.0.5.40:443 (HTTPS to webserver)
  2. tcp 198.51.100.7:51200 → 10.0.5.40:22 (SSH from unknown IP)
  3. udp 8.8.8.8:53 → 10.0.10.20:54123 (DNS response to internal client)
  4. tcp 10.0.5.40:443 → 203.0.113.55:54123 (Outbound to existing session)

Answer format

A 4-character string where each character is P (permit) or D (drop), in order:

PDPP

(Example shape — not the answer.)

Hints

Hint 1 (−10 pts)

Stateful firewalls track existing sessions — replies to allowed outbound connections are auto-permitted via the conntrack/established rule. Look for that rule first.

Hint 2 (−10 pts)

Packet 1: matches rule 10 (permit https to webserver) → P. Packet 2: no SSH permit + no established → D. Packet 3: stateful conntrack permits DNS reply → P. Packet 4: outbound from internal — allowed.

Hint 3 (−10 pts)

Answer: PDPP

Lab environment · sandboxed iframe · auto-resets every 60 min