On Thu, 20 Apr 2000, [iso-8859-1] Andr� Bell wrote:
> p.s. Anyone know where I can download an already configured ruleset that
> only allows incoming access to my port 80 but does not hinder my outbound
> communications? I've tried dozens of things so far myself and now think I
> better find a ruleset from someone who actually knows what they are doing
This is a ruleset (cisco IOS) I've used quite a few times, but there are a
few things I don't like about it. I have quite a few log entries in here,
that you could take out, and I'd lose the 'permit tcp > 1023' if I were
you.
! Block spoofing and multicast
ip access-list extended s0-in
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 7.255.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny tcp any any eq 6666 log
deny tcp any any range 6000 6100 log
deny tcp any any eq 18000 log
deny tcp any any eq 7007 log
deny tcp any any eq 5050 log
deny tcp any any eq 1521 log
deny tcp any any eq 1522 log
deny tcp any any eq 1526 log
deny tcp any any eq 1031 log
deny tcp any any eq 2049 log
deny tcp any any eq 4045 log
deny tcp any any eq 1030 log
deny tcp any any eq 1032 log
deny udp any any eq tftp log
deny udp any any eq sunrpc log
deny udp any any eq 2049 log
deny udp any any eq tftp
deny udp any any eq 4045 log
deny udp any any eq syslog
permit udp any any
permit tcp any any lt 1024 established
permit tcp any any gt 1023
permit tcp any any yourwebserverip 0.0.0.0 eq http
! note that this ruleset blocks icmp, so you can't ping out or in.
! the next rule is implied.
deny ip any any
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
