[Dshield] Help with Cisco ACL's

Rick Leske rick at jaray.net
Wed Mar 12 00:36:21 GMT 2003


Very informative and well appreciated.. I stand corrrected.. I didn't post
the entire list that we use on one of our border routers becuase it has dual
serial i/o and nat.  'really confusing to read' for the masses and because
of corporate release of communications, etc.

Thanks again,

~Rick

> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
> Behalf Of Mike Hogsett
> Sent: Tuesday, March 11, 2003 5:20 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Help with Cisco ACL's
>
>
>
> > Here's a filter that works pretty well for cisco.  The last
> line of the acl
> > allows any 'other' estalbished tcp cons to be accepted.
>
> > ! Access Control List 101
> > no access-list 101
> > ! bogons (bogus outside networks)
> > access-list 101 deny ip 0.0.0.0 1.255.255.255 any
> > access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> > access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> > access-list 101 deny ip 169.254.0.0 0.0.255.255 any
> > access-list 101 deny ip 172.16.0.0 0.15.255.255 any
> > access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> > access-list 101 deny ip 224.0.0.0 31.255.255.255 any
> > access-list 101 deny ip 255.0.0.0 0.255.255.255 any
> > ! Misc services
> > access-list 101 deny tcp any any eq 79
> > access-list 101 deny udp any any eq 79
> > access-list 101 deny tcp any any range 161 162
> > access-list 101 deny udp any any range 161 162
> > access-list 101 deny udp any any range 67 69
> > access-list 101 deny tcp any any range 67 69
> > access-list 101 deny tcp any any range 135 139
> > access-list 101 deny udp any any range 135 139
> > access-list 101 deny tcp any any eq 143
> > access-list 101 deny udp any any eq 143
> > access-list 101 deny tcp any any eq 445
> > access-list 101 deny udp any any eq 445
> > access-list 101 deny tcp any any eq 111
> > access-list 101 deny udp any any eq 111
> > access-list 101 deny tcp any any range 511 515
> > access-list 101 deny udp any any range 511 515
> > access-list 101 deny udp any any eq 1434
> > access-list 101 deny tcp any any eq 6667
> > access-list 101 deny udp any any eq 6667
> > access-list 101 permit tcp any any established
>
> Shouldn't it end in :
>
> access-list 101 deny tcp any any log
> access-list 101 deny udp any any log
> access-list 101 deny ip any any log
>
> Even if your Cisco has an implicit deny rule at the end you wont see the
> rule hit count with :
>
>    router>sh access-list 101
>
> *unless* you put it in explicitly.  I add the tcp and udp separately from
> ip to see which protocols are hitting the default deny rules.
>
> Also I would recommend adding "log" to all "deny" rules (assuming you have
> a syslog server, you DO have a syslog server?)
>
> The VERY first rule should DENY any IP packet with a source address from
> your internal network.
>
> My bogon filters a bit more restrictive.
>
> !
> ! ######################################################################
> ! # No SRC Address from : Reserved, Private and some other odd sources.
> ! # reference : http://www.isi.edu/~bmanning/dsua.html
> ! #             http://www.isi.edu/in-notes/rfc1918.txt
> ! #             http://www.mentovai.com/network/ipv4-allocation.html
> ! #             http://www.iana.org/assignments/ipv4-address-space
> ! ######################################################################
> !
> access-list 163 deny ip 0.0.0.0 0.255.255.255 any
> access-list 163 deny ip 1.0.0.0 0.255.255.255 any
> access-list 163 deny ip 2.0.0.0 0.255.255.255 any
> access-list 163 deny ip 5.0.0.0 0.255.255.255 any
> access-list 163 deny ip 7.0.0.0 0.255.255.255 any
> access-list 163 deny ip 10.0.0.0 0.255.255.255 any
> access-list 163 deny ip 23.0.0.0 0.255.255.255 any
> access-list 163 deny ip 27.0.0.0 0.255.255.255 any
> access-list 163 deny ip 31.0.0.0 0.255.255.255 any
> access-list 163 deny ip 36.0.0.0 1.255.255.255 any
> access-list 163 deny ip 39.0.0.0 0.255.255.255 any
> access-list 163 deny ip 41.0.0.0 0.255.255.255 any
> access-list 163 deny ip 42.0.0.0 0.255.255.255 any
> access-list 163 deny ip 49.0.0.0 0.255.255.255 any
> access-list 163 deny ip 50.0.0.0 0.255.255.255 any
> access-list 163 deny ip 58.0.0.0 1.255.255.255 any
> access-list 163 deny ip 60.0.0.0 0.255.255.255 any
> access-list 163 deny ip 70.0.0.0 1.255.255.255 any
> access-list 163 deny ip 72.0.0.0 7.255.255.255 any
> access-list 163 deny ip 83.0.0.0 0.255.255.255 any
> access-list 163 deny ip 84.0.0.0 3.255.255.255 any
> access-list 163 deny ip 88.0.0.0 7.255.255.255 any
> access-list 163 deny ip 96.0.0.0 31.255.255.255 any
> access-list 163 deny ip 169.254.0.0 0.0.255.255 any
> access-list 163 deny ip 172.16.0.0 0.15.255.255 any
> access-list 163 deny ip 192.0.2.0 0.0.0.255 any
> access-list 163 deny ip 192.168.0.0 0.0.255.255 any
> access-list 163 deny ip 197.0.0.0 0.255.255.255 any
> access-list 163 deny ip 221.0.0.0 0.255.255.255 any
> access-list 163 deny ip 224.0.0.0 15.255.255.255 any
> access-list 163 deny ip 240.0.0.0 15.255.255.255 any
>
> You should also deny some other garbage such as :
>
> !
> ! ######################################################################
> ! # No traffic to localhost class A block
> ! # No traffic to subnet addresses
> ! # No traffic to subnet broadcast addresses
> ! ######################################################################
> !
> access-list 163 deny ip any 127.0.0.0 0.255.255.255 log
> access-list 163 deny ip any 0.0.0.0   255.255.255.0 log
> access-list 163 deny ip any 0.0.0.255 255.255.255.0 log
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.


___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.



More information about the list mailing list