[Dshield] Help with Cisco ACL's

Mike Hogsett hogsett at csl.sri.com
Tue Mar 11 23:19:36 GMT 2003


> Here's a filter that works pretty well for cisco.  The last line of the acl
> allows any 'other' estalbished tcp cons to be accepted.

> ! Access Control List 101
> no access-list 101
> ! bogons (bogus outside networks)
> access-list 101 deny ip 0.0.0.0 1.255.255.255 any
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny ip 169.254.0.0 0.0.255.255 any
> access-list 101 deny ip 172.16.0.0 0.15.255.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
> ! Misc services
> access-list 101 deny tcp any any eq 79
> access-list 101 deny udp any any eq 79
> access-list 101 deny tcp any any range 161 162
> access-list 101 deny udp any any range 161 162
> access-list 101 deny udp any any range 67 69
> access-list 101 deny tcp any any range 67 69
> access-list 101 deny tcp any any range 135 139
> access-list 101 deny udp any any range 135 139
> access-list 101 deny tcp any any eq 143
> access-list 101 deny udp any any eq 143
> access-list 101 deny tcp any any eq 445
> access-list 101 deny udp any any eq 445
> access-list 101 deny tcp any any eq 111
> access-list 101 deny udp any any eq 111
> access-list 101 deny tcp any any range 511 515
> access-list 101 deny udp any any range 511 515
> access-list 101 deny udp any any eq 1434
> access-list 101 deny tcp any any eq 6667
> access-list 101 deny udp any any eq 6667
> access-list 101 permit tcp any any established

Shouldn't it end in :

access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny ip any any log

Even if your Cisco has an implicit deny rule at the end you wont see the
rule hit count with :

   router>sh access-list 101

*unless* you put it in explicitly.  I add the tcp and udp separately from
ip to see which protocols are hitting the default deny rules.

Also I would recommend adding "log" to all "deny" rules (assuming you have
a syslog server, you DO have a syslog server?)

The VERY first rule should DENY any IP packet with a source address from
your internal network.

My bogon filters a bit more restrictive.

!
! ######################################################################
! # No SRC Address from : Reserved, Private and some other odd sources.
! # reference : http://www.isi.edu/~bmanning/dsua.html
! #             http://www.isi.edu/in-notes/rfc1918.txt
! #             http://www.mentovai.com/network/ipv4-allocation.html
! #             http://www.iana.org/assignments/ipv4-address-space
! ######################################################################
!
access-list 163 deny ip 0.0.0.0 0.255.255.255 any
access-list 163 deny ip 1.0.0.0 0.255.255.255 any
access-list 163 deny ip 2.0.0.0 0.255.255.255 any
access-list 163 deny ip 5.0.0.0 0.255.255.255 any
access-list 163 deny ip 7.0.0.0 0.255.255.255 any
access-list 163 deny ip 10.0.0.0 0.255.255.255 any
access-list 163 deny ip 23.0.0.0 0.255.255.255 any
access-list 163 deny ip 27.0.0.0 0.255.255.255 any
access-list 163 deny ip 31.0.0.0 0.255.255.255 any
access-list 163 deny ip 36.0.0.0 1.255.255.255 any
access-list 163 deny ip 39.0.0.0 0.255.255.255 any
access-list 163 deny ip 41.0.0.0 0.255.255.255 any
access-list 163 deny ip 42.0.0.0 0.255.255.255 any
access-list 163 deny ip 49.0.0.0 0.255.255.255 any
access-list 163 deny ip 50.0.0.0 0.255.255.255 any
access-list 163 deny ip 58.0.0.0 1.255.255.255 any
access-list 163 deny ip 60.0.0.0 0.255.255.255 any
access-list 163 deny ip 70.0.0.0 1.255.255.255 any
access-list 163 deny ip 72.0.0.0 7.255.255.255 any
access-list 163 deny ip 83.0.0.0 0.255.255.255 any
access-list 163 deny ip 84.0.0.0 3.255.255.255 any 
access-list 163 deny ip 88.0.0.0 7.255.255.255 any
access-list 163 deny ip 96.0.0.0 31.255.255.255 any 
access-list 163 deny ip 169.254.0.0 0.0.255.255 any
access-list 163 deny ip 172.16.0.0 0.15.255.255 any 
access-list 163 deny ip 192.0.2.0 0.0.0.255 any 
access-list 163 deny ip 192.168.0.0 0.0.255.255 any
access-list 163 deny ip 197.0.0.0 0.255.255.255 any
access-list 163 deny ip 221.0.0.0 0.255.255.255 any 
access-list 163 deny ip 224.0.0.0 15.255.255.255 any 
access-list 163 deny ip 240.0.0.0 15.255.255.255 any 

You should also deny some other garbage such as :

!
! ######################################################################
! # No traffic to localhost class A block
! # No traffic to subnet addresses
! # No traffic to subnet broadcast addresses
! ######################################################################
!
access-list 163 deny ip any 127.0.0.0 0.255.255.255 log
access-list 163 deny ip any 0.0.0.0   255.255.255.0 log
access-list 163 deny ip any 0.0.0.255 255.255.255.0 log



More information about the list mailing list