>=20 > Pls, if someone can share an ACL to put in a border router ( facing to > internet ) and/or have any comments on this one below -got it=20 > somewhere-, > let me know. >=20 > Andr=E9s.- >=20 > -------------------------GENERIC ACL---------------------------------- >=20 > access-list 101 permit tcp any any established > access-list 101 deny udp any any eq netbios-dgm > access-list 101 deny udp any any eq netbios-ns > access-list 101 deny tcp any any eq 139 > access-list 101 permit ip any any > ! > remark *** bogons (bogus outside networks) > deny ip 0.0.0.0 1.255.255.255 any > deny ip 2.0.0.0 0.255.255.255 any > deny ip 5.0.0.0 0.255.255.255 any > deny ip 7.0.0.0 0.255.255.255 any > deny ip 10.0.0.0 0.255.255.255 any > deny ip 23.0.0.0 0.255.255.255 any > deny ip 27.0.0.0 0.255.255.255 any > deny ip 31.0.0.0 0.255.255.255 any > deny ip 36.0.0.0 1.255.255.255 any > deny ip 39.0.0.0 0.255.255.255 any > deny ip 41.0.0.0 0.255.255.255 any > deny ip 42.0.0.0 0.255.255.255 any > deny ip 49.0.0.0 0.255.255.255 any > deny ip 50.0.0.0 0.255.255.255 any > deny ip 58.0.0.0 1.255.255.255 any > deny ip 60.0.0.0 0.255.255.255 any > deny ip 70.0.0.0 1.255.255.255 any > deny ip 72.0.0.0 7.255.255.255 any > deny ip 82.0.0.0 1.255.255.255 any > deny ip 84.0.0.0 3.255.255.255 any > deny ip 88.0.0.0 7.255.255.255 any > deny ip 96.0.0.0 31.255.255.255 any > deny ip 169.254.0.0 0.0.255.255 any > deny ip 172.16.0.0 0.15.255.255 any > deny ip 192.0.2.0 0.0.0.255 any > deny ip 192.168.0.0 0.0.255.255 any > deny ip 197.0.0.0 0.255.255.255 any > deny ip 198.18.0.0 0.1.255.255 any > deny ip 201.0.0.0 0.255.255.255 any > deny ip 222.0.0.0 1.255.255.255 any > deny ip 224.0.0.0 31.255.255.255 any > ! > remark *** protocols > remark *** legacy small services no longer used > deny tcp any any range 0 19 > deny udp any any range 0 19 > remark *** snmp > deny tcp any any range 161 162 > deny udp any any range 161 162 > deny tcp any any eq 199 > deny udp any any eq 199 > deny tcp any any eq 391 > deny udp any any eq 391 > deny tcp any any eq 705 > deny udp any any eq 705 > deny tcp any any eq 1993 > deny udp any any eq 1993 > remark *** lan-only dhcp and tftp > deny udp any any range 67 69 > deny tcp any any range 67 69 > remark *** microsoft netbios > deny tcp any any range 135 139 > deny udp any any range 135 139 > deny tcp any any eq 445 > deny udp any any eq 445 > remark *** SQLSlammer worm > deny udp any any eq 1434 > remark *** unix rpc > deny tcp any any eq 111 > deny udp any any eq 111 > remark *** lan-only unix services > deny tcp any any range 511 515 > deny udp any any range 511 515 > remark *** ircd > deny tcp any any eq 6667 > deny udp any any eq 6667 > remark *** icmp fragments > deny icmp any any fragments > remark *** inbound ping > permit icmp any any echo > remark *** inbound ping response > permit icmp any any echo-reply > remark *** path MTU to function > permit icmp any any packet-too-big > remark *** flow control > permit icmp any any source-quench > remark *** time exceeded messages for traceroute and loops > permit icmp any any time-exceeded > remark *** block all other ICMP packets > deny icmp any any > remark *** permit everything else > permit ip any any >=20
Check this site for an excellent guide=20 http://www.nsa.gov/snac/cisco/index.html
