[Dshield] Help with Cisco ACL's

Rick Leske rick at jaray.net
Tue Mar 11 19:05:57 GMT 2003


Here's a filter that works pretty well for cisco.  The last line of the acl
allows any 'other' estalbished tcp cons to be accepted.

~Rick

! Access Control List 101
no access-list 101
! bogons (bogus outside networks)
access-list 101 deny ip 0.0.0.0 1.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 31.255.255.255 any
access-list 101 deny ip 255.0.0.0 0.255.255.255 any
! Misc services
access-list 101 deny tcp any any eq 79
access-list 101 deny udp any any eq 79
access-list 101 deny tcp any any range 161 162
access-list 101 deny udp any any range 161 162
access-list 101 deny udp any any range 67 69
access-list 101 deny tcp any any range 67 69
access-list 101 deny tcp any any range 135 139
access-list 101 deny udp any any range 135 139
access-list 101 deny tcp any any eq 143
access-list 101 deny udp any any eq 143
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 111
access-list 101 deny udp any any eq 111
access-list 101 deny tcp any any range 511 515
access-list 101 deny udp any any range 511 515
access-list 101 deny udp any any eq 1434
access-list 101 deny tcp any any eq 6667
access-list 101 deny udp any any eq 6667
access-list 101 permit tcp any any established

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> Behalf Of Graham K. Dodd
> Sent: Tuesday, March 11, 2003 12:15 PM - FamHost
> To: General DShield Discussion List
> Subject: AW: [Dshield] Help with Cisco ACL's
>
>
> We don't have a PIX, but the firewall is doing the catching and now I want
> to block this specific port.
>
> If I say deny tcp any any eq 445 then what happens to incoming
> packets that
> are not port 445, do they pass or are they also dropped.
>
> Graham
>
> > -----Ursprungliche Nachricht-----
> > Von: list-bounces at dshield.org [mailto:list-bounces at dshield.org]Im
> > Auftrag von Neil G. Lovering
> > Gesendet: Dienstag, 11. Marz 2003 18:01
> > An: General DShield Discussion List
> > Betreff: RE: [Dshield] Help with Cisco ACL's
> >
> >
> > I do the same thing.  I let the PIX catch things that shouldn't be
> > there.  Then if I notice some folks probing the outside, I specifically
> > block them so they can't get to any of the permitted ports.
> >
> > Neil
> >
> >
> >
> > -----Original Message-----
> > From: Mathieu Patenaude [mailto:mathieup at sevillepictures.com]
> > Sent: Tuesday, March 11, 2003 10:46 AM
> > To: 'General DShield Discussion List'
> > Subject: RE: [Dshield] Help with Cisco ACL's
> >
> > what about the implicit deny all of the Cisco Pix... I mean that if you
> > didn't allow the port before, it won't get thru...unless you've put a
> > access-list allow any any somewhere! One of the reason why I would put
> > an
> > explicit deny on a particular port like you did would be to see how many
> > times it got hit... but again, you can know that by using the syslog
> >
> > good luck
> >
> > Mathieu
> >
> > -----Original Message-----
> > From: Graham K. Dodd [mailto:g.dodd at falk-ross.de]
> > Sent: Tuesday, March 11, 2003 9:09 AM
> > To: DShield
> > Subject: [Dshield] Help with Cisco ACL's
> >
> >
> > Hello all,
> > 		please can somebody explain to a Cisco novice how to
> > block
> > incoming port
> > 445
> >
> > I created an extended access list with a "deny tcp any any eq 445"
> >
> > I applied this ACL to Serial 0 incoming which I thought would block any
> > incoming tcp going to my port 445 - what it does is stop outgoing
> > traffic
> > (nslookup and port 80 that I know of)
> >
> > thank you,
> >
> > Graham
> >

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.



More information about the list mailing list