[Dshield] Help with Cisco ACL's

Mathieu Patenaude mathieup at sevillepictures.com
Tue Mar 11 19:57:13 GMT 2003


Graham...this is another way to firewall your network (see message bellow)
Basically there are 2 ways to work with a firewall (I'm only talking about
ACL here)

1)you block everything (inbound and outbound) and allow only the secured
service that you need
2)you block (like Rick here) bogus address and well known attacked ports. (+
I would include addresses that are known as big attackers in my access list,
found at Web sites like http://www1.dshield.org/top10.php) so... 
access-list 101 deny ip 61.241.107.38 any).

I recommend going to http://www1.dshield.org/warning_explanation.php and
type in your Internet Address to check if you are yourself an attacker!

I find the first method more secure for many reasons

Its bad that you don't have a Pix, because their support is top notch!
Check with your firewall provider to see if they've got a support
service...it cost a lot, but very useful in emergency situations!

Mathieu

-----Original Message-----
From: Rick Leske [mailto:rick at jaray.net]
Sent: 11 mars, 2003 14:06
To: General DShield Discussion List
Subject: RE: [Dshield] Help with Cisco ACL's


Here's a filter that works pretty well for cisco.  The last line of the acl
allows any 'other' estalbished tcp cons to be accepted.

~Rick

! Access Control List 101
no access-list 101
! bogons (bogus outside networks)
access-list 101 deny ip 0.0.0.0 1.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 31.255.255.255 any
access-list 101 deny ip 255.0.0.0 0.255.255.255 any
! Misc services
access-list 101 deny tcp any any eq 79
access-list 101 deny udp any any eq 79
access-list 101 deny tcp any any range 161 162
access-list 101 deny udp any any range 161 162
access-list 101 deny udp any any range 67 69
access-list 101 deny tcp any any range 67 69
access-list 101 deny tcp any any range 135 139
access-list 101 deny udp any any range 135 139
access-list 101 deny tcp any any eq 143
access-list 101 deny udp any any eq 143
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny tcp any any eq 111
access-list 101 deny udp any any eq 111
access-list 101 deny tcp any any range 511 515
access-list 101 deny udp any any range 511 515
access-list 101 deny udp any any eq 1434
access-list 101 deny tcp any any eq 6667
access-list 101 deny udp any any eq 6667
access-list 101 permit tcp any any established

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> Behalf Of Graham K. Dodd
> Sent: Tuesday, March 11, 2003 12:15 PM - FamHost
> To: General DShield Discussion List
> Subject: AW: [Dshield] Help with Cisco ACL's
>
>
> We don't have a PIX, but the firewall is doing the catching and now I want
> to block this specific port.
>
> If I say deny tcp any any eq 445 then what happens to incoming
> packets that
> are not port 445, do they pass or are they also dropped.
>
> Graham
>
> > -----Ursprungliche Nachricht-----
> > Von: list-bounces at dshield.org [mailto:list-bounces at dshield.org]Im
> > Auftrag von Neil G. Lovering
> > Gesendet: Dienstag, 11. Marz 2003 18:01
> > An: General DShield Discussion List
> > Betreff: RE: [Dshield] Help with Cisco ACL's
> >
> >
> > I do the same thing.  I let the PIX catch things that shouldn't be
> > there.  Then if I notice some folks probing the outside, I specifically
> > block them so they can't get to any of the permitted ports.
> >
> > Neil
> >
> >
> >
> > -----Original Message-----
> > From: Mathieu Patenaude [mailto:mathieup at sevillepictures.com]
> > Sent: Tuesday, March 11, 2003 10:46 AM
> > To: 'General DShield Discussion List'
> > Subject: RE: [Dshield] Help with Cisco ACL's
> >
> > what about the implicit deny all of the Cisco Pix... I mean that if you
> > didn't allow the port before, it won't get thru...unless you've put a
> > access-list allow any any somewhere! One of the reason why I would put
> > an
> > explicit deny on a particular port like you did would be to see how many
> > times it got hit... but again, you can know that by using the syslog
> >
> > good luck
> >
> > Mathieu
> >
> > -----Original Message-----
> > From: Graham K. Dodd [mailto:g.dodd at falk-ross.de]
> > Sent: Tuesday, March 11, 2003 9:09 AM
> > To: DShield
> > Subject: [Dshield] Help with Cisco ACL's
> >
> >
> > Hello all,
> > 		please can somebody explain to a Cisco novice how to
> > block
> > incoming port
> > 445
> >
> > I created an extended access list with a "deny tcp any any eq 445"
> >
> > I applied this ACL to Serial 0 incoming which I thought would block any
> > incoming tcp going to my port 445 - what it does is stop outgoing
> > traffic
> > (nslookup and port 80 that I know of)
> >
> > thank you,
> >
> > Graham
> >

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list