Example ACL List. Some of these block entire countries so check your class "A"
! no access-list 101 ! bogons (bogus outside networks) - revocations access-list 101 deny ip 0.0.0.0 1.255.255.255 any log access-list 101 deny ip 2.0.0.0 0.255.255.255 any log access-list 101 deny ip 5.0.0.0 0.255.255.255 any log access-list 101 deny ip 7.0.0.0 0.255.255.255 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any log access-list 101 deny ip 23.0.0.0 0.255.255.255 any log access-list 101 deny ip 27.0.0.0 0.255.255.255 any log access-list 101 deny ip 31.0.0.0 0.255.255.255 any log access-list 101 deny ip 36.0.0.0 1.255.255.255 any log access-list 101 deny ip 39.0.0.0 0.255.255.255 any log access-list 101 deny ip 41.0.0.0 0.255.255.255 any log access-list 101 deny ip 42.0.0.0 0.255.255.255 any log access-list 101 deny ip 49.0.0.0 0.255.255.255 any log access-list 101 deny ip 50.0.0.0 0.255.255.255 any log access-list 101 deny ip 58.0.0.0 1.255.255.255 any log access-list 101 deny ip 60.0.0.0 0.255.255.255 any log ! hackers - SPORN (Spam or Porn) access-list 101 deny ip 61.0.0.0 0.255.255.255 any log ! SPORN (Spam or Porn) access-list 101 deny ip 64.60.0.0 0.0.255.255 any log ! hackers - TelePacific Communication access-list 101 deny ip 70.0.0.0 1.255.255.255 any log access-list 101 deny ip 72.0.0.0 7.255.255.255 any log access-list 101 deny ip 83.0.0.0 0.255.255.255 any log access-list 101 deny ip 84.0.0.0 3.255.255.255 any log access-list 101 deny ip 88.0.0.0 7.255.255.255 any log access-list 101 deny ip 96.0.0.0 31.255.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny ip 169.254.0.0 0.0.255.255 any log access-list 101 deny ip 172.16.0.0 0.15.255.255 any log access-list 101 deny ip 173.0.0.0 0.255.255.255 any log access-list 101 deny ip 174.0.0.0 1.255.255.255 any log access-list 101 deny ip 176.0.0.0 7.255.255.255 any log access-list 101 deny ip 184.0.0.0 3.255.255.255 any log access-list 101 deny ip 189.0.0.0 0.255.255.255 any log access-list 101 deny ip 190.0.0.0 0.255.255.255 any log access-list 101 deny ip 192.0.2.0 0.0.0.255 any log access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip 197.0.0.0 0.255.255.255 any log access-list 101 deny ip 198.18.0.0 0.1.255.255 any log access-list 101 deny ip 200.0.0.0 0.255.255.255 any log ! SPORN (Spam or Porn) access-list 101 deny ip 201.0.0.0 0.255.255.255 any log ! SPORN (Spam or Porn) access-list 101 deny ip 211.0.0.0 0.255.255.255 any log ! hackers - SPORN (Spam or Porn) access-list 101 deny ip 219.0.0.0 0.255.255.255 any log ! hackers - SPORN (Spam or Porn) access-list 101 deny ip 222.0.0.0 1.255.255.255 any log access-list 101 deny ip 224.0.0.0 31.255.255.255 any log access-list 101 deny ip 255.0.0.0 0.255.255.255 any log ! Misc services access-list 101 deny tcp any any range 67 69 log access-list 101 deny udp any any range 67 69 log ! bootps tftp access-list 101 deny tcp any any eq 79 log ! finger access-list 101 deny udp any any eq 79 log access-list 101 deny tcp any any eq 111 log ! sun rpc/unix rpc access-list 101 deny udp any any eq 111 log ! sun rpc/unix rpc access-list 101 deny tcp any any range 135 139 log ! mircrosoft snafu access-list 101 deny udp any any range 135 139 log ! 139-netbios-ss access-list 101 deny tcp any any eq 143 log access-list 101 deny udp any any eq 143 log access-list 101 deny tcp any any range 161 162 log access-list 101 deny udp any any range 161 162 log ! snmp snmptrap access-list 101 deny tcp any any eq 445 log ! mircrosoft snafu access-list 101 deny udp any any eq 445 log ! smb over tcp access-list 101 deny tcp any any range 511 lpd log ! unix services access-list 101 deny udp any any range 511 515 log access-list 101 deny tcp any any eq 705 ! snmp v1 agentx access-list 101 deny udp any any eq 705 access-list 101 deny tcp any any eq 1412 log access-list 101 deny udp any any eq 1434 log ! sqlslammer worm !access-list 101 deny tcp any any eq 2222 log access-list 101 deny tcp any any range 6711 6712 log ! trojans sub7 etc access-list 101 deny tcp any any eq 6667 log ! trojans irc trinity etc access-list 101 deny udp any any eq 6667 log access-list 101 deny tcp any any eq 6669 log ! trojans host control etc access-list 101 deny tcp any any eq 7000 log ! trojans fileserver kazimas etc access-list 101 deny tcp any any eq 16660 log ! trojan Stacheldraht access-list 101 deny udp any any eq 27444 log ! trinoo DoS attack access-list 101 deny tcp any any eq 27665 log ! trinoo master DoS attack access-list 101 deny tcp any any eq 31335 log ! trojan trinoo DoS attack access-list 101 deny udp any any eq 31335 log ! trinoo register DoS tool access-list 101 deny tcp any any eq 33270 log ! trojan DDoS trinity attack access-list 101 deny tcp any any eq 39168 log access-list 101 deny tcp any any eq 65000 log ! trojan Stacheldraht ! access-list 101 permit tcp any any established ! ICMP Filter access-list 101 deny icmp any any fragments access-list 101 permit icmp any any administratively-prohibited access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any packet-too-big access-list 101 permit icmp any any source-quench access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any traceroute access-list 101 permit icmp any any unreachable access-list 101 deny icmp any any ! Permit everything else access-list 101 permit ip any any end > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Evan Pearce > Sent: Wednesday, December 17, 2003 7:36 AM > To: [EMAIL PROTECTED] > Subject: [IMGate] Re: OT: ACLs for CISCO router > > > > On 17/12/2003 at 23:02:01, Ing. Andr�s E. Gallo wrote: > > > Pls, if someone can share an ACL to put in a border router ( facing to > > internet ) and/or have any comments on this one below -got it > somewhere-, > > let me know. > > IMHO they're both awful, since they both end in "permit ip any any". > That basically means 'allow anything I didn't think of above', which is > a really bad idea. > access-list 101 permit tcp any any established That means the currently established connections. Don't want to drop them just yet. access-list 101 permit ip any any This means to allow all others whom don't get dropped at the boarder. Have to have that or you'll have a dead link. > The underlying principle in any security setup should always be 'deny > everything unless it's specifically allowed', not 'allow anything I > forgot to deny'. That way all the support calls are 'Hey, I can't access > server X!' (which is easy to fix) and not 'Hey, all the files on server > X are missing!' (which is quite a bit harder). :) > hehe.. well.. there are a gazillion ports a gazillion ip addresses.. how is one to make or maintain a 'whitelist' of this stuff? > Your border access list should: > - deny anything you want to block outright (eg that set of bogon > networks), > - allow the absolute minimum services through (ie SMTP to your MX > servers, HTTP to a web server if you host one), and then > - deny everything else (with "deny ip any any log") at the end. > > That way you're not exposing anything you don't need to (like the SSH > services on your MX boxes, and all the fun stuff MS runs on Windows > boxen by default), and you won't get bitten by someone connecting to a > service you didn't realise you were running. > The boarder ACL does just this. Now at the firewall is a different story. Filtering and auto IDS software systems dynamically change meg's of other ACL type of internal filters and lists. > As a starting point I'd suggest something like the following: > > access-list 100 remark -- Incoming email > ------------------------------------- > access-list 100 permit tcp any host 192.0.2.1 eq 25 > access-list 100 permit tcp any host 192.0.2.2 eq 25 > access-list 100 remark > access-list 100 remark -- Webmail > -------------------------------------------- > access-list 100 permit tcp any host 192.0.2.3 eq 80 > access-list 100 permit tcp any host 192.0.2.3 eq 443 > access-list 100 permit tcp any host 192.0.2.3 eq 8385 > access-list 100 remark > access-list 100 remark -- Deny others > ---------------------------------------- > access-list 100 deny ip any any log > That might work for a point to point or frame perhaps but nothing from the outside world would make it in except the spoofed non routable ip you've listed. > Add any other services which you know need to be Internet accessible, > and then drop the rest. Short, easy to maintain, and next time some worm > or another leads to recommendations to block port X at your border, > you're already doing it. > > Snort has it's woes too.. I personally, at the boarder, would only use redundant hardware for first line entry access level defense. ~Rick ___________________________________________________________________ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
