Re: Cisco Access Lists (Was: RE: Content Analysis)

Thu, 9 Mar 2000 12:30:44 -0800 

On Thu, 9 Mar 2000, Jon Earle wrote:

> At 04:07 PM 3/8/00 -0500, you wrote:
> access-list 102 permit tcp 0.0.0.0 255.255.255.255  x.x.x.3 0.0.0.0 gt 1023
> access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 gt 1023
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 22
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 25
> access-list 102 permit tcp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 53
> access-list 102 permit udp 0.0.0.0 255.255.255.255 x.x.x.3 0.0.0.0 eq 53


Make sure you include
access-list 102 permit tcp any any lt 1024 established 

or things like ssh won't work. 

Oh, and don't bother with the 0.0.0.0 255.255.255.255; "any" is faster to
type and means the same thing.


Here's my ruleset:

ip access-list extended s0-in

! block IP spoofing 

 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 0.0.0.0 0.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip 240.0.0.0 7.255.255.255 any log
 deny   ip 192.0.2.0 0.0.0.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log

! block xwindows
 deny   tcp any any eq 6666 log
 deny   tcp any any range 6000 6100 log
! block other various high ports
 deny   tcp any any eq 18000 log
 deny   tcp any any eq 7007 log
 deny   tcp any any eq 5050 log
 deny   tcp any any eq 1521 log
 deny   tcp any any eq 1522 log
 deny   tcp any any eq 1526 log
 deny   tcp any any eq 1031 log
 deny   udp any any eq tftp log
 deny   tcp any any eq 2049 log
 deny   tcp any any eq 4045 log
 deny   tcp any any eq 1030 log
 deny   tcp any any eq 1032 log
 deny   udp any any eq sunrpc log
 deny   udp any any eq 2049 log
 deny   udp any any eq 2000
 deny   udp any any eq tftp
 permit tcp any any eq www
 permit tcp any any eq 22
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 deny   udp any any eq 4045 log
 deny   udp any any eq syslog
 permit udp any any
 permit tcp any any gt 1023
 deny   ip 192.168.0.0 0.0.255.255 any log
 permit tcp any any lt 1024 established

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to