Ok, guys Thanks for the input.
Andr�s.- ----- Mensaje original ----- De: "Rick Klinge" <[EMAIL PROTECTED]> Para: <[EMAIL PROTECTED]> Enviado: mi�rcoles, 17 de diciembre de 2003 11:25 Asunto: [IMGate] Re: OT: ACLs for CISCO router > > Example ACL List. Some of these block entire countries so check your class > "A" > > > ! > no access-list 101 > ! bogons (bogus outside networks) - revocations > access-list 101 deny ip 0.0.0.0 1.255.255.255 any log > access-list 101 deny ip 2.0.0.0 0.255.255.255 any log > access-list 101 deny ip 5.0.0.0 0.255.255.255 any log > access-list 101 deny ip 7.0.0.0 0.255.255.255 any log > access-list 101 deny ip 10.0.0.0 0.255.255.255 any log > access-list 101 deny ip 23.0.0.0 0.255.255.255 any log > access-list 101 deny ip 27.0.0.0 0.255.255.255 any log > access-list 101 deny ip 31.0.0.0 0.255.255.255 any log > access-list 101 deny ip 36.0.0.0 1.255.255.255 any log > access-list 101 deny ip 39.0.0.0 0.255.255.255 any log > access-list 101 deny ip 41.0.0.0 0.255.255.255 any log > access-list 101 deny ip 42.0.0.0 0.255.255.255 any log > access-list 101 deny ip 49.0.0.0 0.255.255.255 any log > access-list 101 deny ip 50.0.0.0 0.255.255.255 any log > access-list 101 deny ip 58.0.0.0 1.255.255.255 any log > access-list 101 deny ip 60.0.0.0 0.255.255.255 any log ! hackers - SPORN > (Spam or Porn) > access-list 101 deny ip 61.0.0.0 0.255.255.255 any log ! SPORN (Spam or > Porn) > access-list 101 deny ip 64.60.0.0 0.0.255.255 any log ! hackers - > TelePacific Communication > access-list 101 deny ip 70.0.0.0 1.255.255.255 any log > access-list 101 deny ip 72.0.0.0 7.255.255.255 any log > access-list 101 deny ip 83.0.0.0 0.255.255.255 any log > access-list 101 deny ip 84.0.0.0 3.255.255.255 any log > access-list 101 deny ip 88.0.0.0 7.255.255.255 any log > access-list 101 deny ip 96.0.0.0 31.255.255.255 any log > access-list 101 deny ip 127.0.0.0 0.255.255.255 any log > access-list 101 deny ip 169.254.0.0 0.0.255.255 any log > access-list 101 deny ip 172.16.0.0 0.15.255.255 any log > access-list 101 deny ip 173.0.0.0 0.255.255.255 any log > access-list 101 deny ip 174.0.0.0 1.255.255.255 any log > access-list 101 deny ip 176.0.0.0 7.255.255.255 any log > access-list 101 deny ip 184.0.0.0 3.255.255.255 any log > access-list 101 deny ip 189.0.0.0 0.255.255.255 any log > access-list 101 deny ip 190.0.0.0 0.255.255.255 any log > access-list 101 deny ip 192.0.2.0 0.0.0.255 any log > access-list 101 deny ip 192.168.0.0 0.0.255.255 any log > access-list 101 deny ip 197.0.0.0 0.255.255.255 any log > access-list 101 deny ip 198.18.0.0 0.1.255.255 any log > access-list 101 deny ip 200.0.0.0 0.255.255.255 any log ! SPORN (Spam or > Porn) > access-list 101 deny ip 201.0.0.0 0.255.255.255 any log ! SPORN (Spam or > Porn) > access-list 101 deny ip 211.0.0.0 0.255.255.255 any log ! hackers - SPORN > (Spam or Porn) > access-list 101 deny ip 219.0.0.0 0.255.255.255 any log ! hackers - SPORN > (Spam or Porn) > access-list 101 deny ip 222.0.0.0 1.255.255.255 any log > access-list 101 deny ip 224.0.0.0 31.255.255.255 any log > access-list 101 deny ip 255.0.0.0 0.255.255.255 any log > ! Misc services > access-list 101 deny tcp any any range 67 69 log > access-list 101 deny udp any any range 67 69 log ! bootps tftp > access-list 101 deny tcp any any eq 79 log ! finger > access-list 101 deny udp any any eq 79 log > access-list 101 deny tcp any any eq 111 log ! sun rpc/unix rpc > access-list 101 deny udp any any eq 111 log ! sun rpc/unix rpc > access-list 101 deny tcp any any range 135 139 log ! mircrosoft snafu > access-list 101 deny udp any any range 135 139 log ! 139-netbios-ss > access-list 101 deny tcp any any eq 143 log > access-list 101 deny udp any any eq 143 log > access-list 101 deny tcp any any range 161 162 log > access-list 101 deny udp any any range 161 162 log ! snmp snmptrap > access-list 101 deny tcp any any eq 445 log ! mircrosoft snafu > access-list 101 deny udp any any eq 445 log ! smb over tcp > access-list 101 deny tcp any any range 511 lpd log ! unix services > access-list 101 deny udp any any range 511 515 log > access-list 101 deny tcp any any eq 705 ! snmp v1 agentx > access-list 101 deny udp any any eq 705 > access-list 101 deny tcp any any eq 1412 log > access-list 101 deny udp any any eq 1434 log ! sqlslammer worm > !access-list 101 deny tcp any any eq 2222 log > access-list 101 deny tcp any any range 6711 6712 log ! trojans sub7 etc > access-list 101 deny tcp any any eq 6667 log ! trojans irc trinity etc > access-list 101 deny udp any any eq 6667 log > access-list 101 deny tcp any any eq 6669 log ! trojans host control etc > access-list 101 deny tcp any any eq 7000 log ! trojans fileserver kazimas > etc > access-list 101 deny tcp any any eq 16660 log ! trojan Stacheldraht > access-list 101 deny udp any any eq 27444 log ! trinoo DoS attack > access-list 101 deny tcp any any eq 27665 log ! trinoo master DoS attack > access-list 101 deny tcp any any eq 31335 log ! trojan trinoo DoS attack > access-list 101 deny udp any any eq 31335 log ! trinoo register DoS tool > access-list 101 deny tcp any any eq 33270 log ! trojan DDoS trinity attack > access-list 101 deny tcp any any eq 39168 log > access-list 101 deny tcp any any eq 65000 log ! trojan Stacheldraht > ! > access-list 101 permit tcp any any established > ! ICMP Filter > access-list 101 deny icmp any any fragments > access-list 101 permit icmp any any administratively-prohibited > access-list 101 permit icmp any any echo > access-list 101 permit icmp any any echo-reply > access-list 101 permit icmp any any packet-too-big > access-list 101 permit icmp any any source-quench > access-list 101 permit icmp any any time-exceeded > access-list 101 permit icmp any any traceroute > access-list 101 permit icmp any any unreachable > access-list 101 deny icmp any any > ! Permit everything else > access-list 101 permit ip any any > end > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Evan Pearce > > Sent: Wednesday, December 17, 2003 7:36 AM > > To: [EMAIL PROTECTED] > > Subject: [IMGate] Re: OT: ACLs for CISCO router > > > > > > > > On 17/12/2003 at 23:02:01, Ing. Andr�s E. Gallo wrote: > > > > > Pls, if someone can share an ACL to put in a border router ( facing to > > > internet ) and/or have any comments on this one below -got it > > somewhere-, > > > let me know. > > > > IMHO they're both awful, since they both end in "permit ip any any". > > That basically means 'allow anything I didn't think of above', which is > > a really bad idea. > > > access-list 101 permit tcp any any established > That means the currently established connections. Don't want to drop them > just yet. > > access-list 101 permit ip any any > This means to allow all others whom don't get dropped at the boarder. Have > to have that or you'll have a dead link. > > > The underlying principle in any security setup should always be 'deny > > everything unless it's specifically allowed', not 'allow anything I > > forgot to deny'. That way all the support calls are 'Hey, I can't access > > server X!' (which is easy to fix) and not 'Hey, all the files on server > > X are missing!' (which is quite a bit harder). :) > > > > hehe.. well.. there are a gazillion ports a gazillion ip addresses.. how is > one to make or maintain a 'whitelist' of this stuff? > > > Your border access list should: > > - deny anything you want to block outright (eg that set of bogon > > networks), > > - allow the absolute minimum services through (ie SMTP to your MX > > servers, HTTP to a web server if you host one), and then > > - deny everything else (with "deny ip any any log") at the end. > > > > That way you're not exposing anything you don't need to (like the SSH > > services on your MX boxes, and all the fun stuff MS runs on Windows > > boxen by default), and you won't get bitten by someone connecting to a > > service you didn't realise you were running. > > > > The boarder ACL does just this. Now at the firewall is a different story. > Filtering and auto IDS software systems dynamically change meg's of other > ACL type of internal filters and lists. > > > As a starting point I'd suggest something like the following: > > > > access-list 100 remark -- Incoming email > > ------------------------------------- > > access-list 100 permit tcp any host 192.0.2.1 eq 25 > > access-list 100 permit tcp any host 192.0.2.2 eq 25 > > access-list 100 remark > > access-list 100 remark -- Webmail > > -------------------------------------------- > > access-list 100 permit tcp any host 192.0.2.3 eq 80 > > access-list 100 permit tcp any host 192.0.2.3 eq 443 > > access-list 100 permit tcp any host 192.0.2.3 eq 8385 > > access-list 100 remark > > access-list 100 remark -- Deny others > > ---------------------------------------- > > access-list 100 deny ip any any log > > > > That might work for a point to point or frame perhaps but nothing from the > outside world would make it in except the spoofed non routable ip you've > listed. > > > Add any other services which you know need to be Internet accessible, > > and then drop the rest. Short, easy to maintain, and next time some worm > > or another leads to recommendations to block port X at your border, > > you're already doing it. > > > > > > Snort has it's woes too.. I personally, at the boarder, would only use > redundant hardware for first line entry access level defense. > > ~Rick > > ___________________________________________________________________ > Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. > > >
