I have a software based router/firewall program so how would i "translate these router rules for my use... any ideas.... the help would be greatly appreciated ..
unix/freebsd kinda thing... thanks Sheldon ----- Original Message ----- From: "Scott Muller" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 17, 2003 9:17 PM Subject: [IMGate] Re: OT: ACLs for CISCO router > > >=20 > > Pls, if someone can share an ACL to put in a border router ( facing to > > internet ) and/or have any comments on this one below -got it=20 > > somewhere-, > > let me know. > >=20 > > Andr=E9s.- > >=20 > > -------------------------GENERIC ACL---------------------------------- > >=20 > > access-list 101 permit tcp any any established > > access-list 101 deny udp any any eq netbios-dgm > > access-list 101 deny udp any any eq netbios-ns > > access-list 101 deny tcp any any eq 139 > > access-list 101 permit ip any any > > ! > > remark *** bogons (bogus outside networks) > > deny ip 0.0.0.0 1.255.255.255 any > > deny ip 2.0.0.0 0.255.255.255 any > > deny ip 5.0.0.0 0.255.255.255 any > > deny ip 7.0.0.0 0.255.255.255 any > > deny ip 10.0.0.0 0.255.255.255 any > > deny ip 23.0.0.0 0.255.255.255 any > > deny ip 27.0.0.0 0.255.255.255 any > > deny ip 31.0.0.0 0.255.255.255 any > > deny ip 36.0.0.0 1.255.255.255 any > > deny ip 39.0.0.0 0.255.255.255 any > > deny ip 41.0.0.0 0.255.255.255 any > > deny ip 42.0.0.0 0.255.255.255 any > > deny ip 49.0.0.0 0.255.255.255 any > > deny ip 50.0.0.0 0.255.255.255 any > > deny ip 58.0.0.0 1.255.255.255 any > > deny ip 60.0.0.0 0.255.255.255 any > > deny ip 70.0.0.0 1.255.255.255 any > > deny ip 72.0.0.0 7.255.255.255 any > > deny ip 82.0.0.0 1.255.255.255 any > > deny ip 84.0.0.0 3.255.255.255 any > > deny ip 88.0.0.0 7.255.255.255 any > > deny ip 96.0.0.0 31.255.255.255 any > > deny ip 169.254.0.0 0.0.255.255 any > > deny ip 172.16.0.0 0.15.255.255 any > > deny ip 192.0.2.0 0.0.0.255 any > > deny ip 192.168.0.0 0.0.255.255 any > > deny ip 197.0.0.0 0.255.255.255 any > > deny ip 198.18.0.0 0.1.255.255 any > > deny ip 201.0.0.0 0.255.255.255 any > > deny ip 222.0.0.0 1.255.255.255 any > > deny ip 224.0.0.0 31.255.255.255 any > > ! > > remark *** protocols > > remark *** legacy small services no longer used > > deny tcp any any range 0 19 > > deny udp any any range 0 19 > > remark *** snmp > > deny tcp any any range 161 162 > > deny udp any any range 161 162 > > deny tcp any any eq 199 > > deny udp any any eq 199 > > deny tcp any any eq 391 > > deny udp any any eq 391 > > deny tcp any any eq 705 > > deny udp any any eq 705 > > deny tcp any any eq 1993 > > deny udp any any eq 1993 > > remark *** lan-only dhcp and tftp > > deny udp any any range 67 69 > > deny tcp any any range 67 69 > > remark *** microsoft netbios > > deny tcp any any range 135 139 > > deny udp any any range 135 139 > > deny tcp any any eq 445 > > deny udp any any eq 445 > > remark *** SQLSlammer worm > > deny udp any any eq 1434 > > remark *** unix rpc > > deny tcp any any eq 111 > > deny udp any any eq 111 > > remark *** lan-only unix services > > deny tcp any any range 511 515 > > deny udp any any range 511 515 > > remark *** ircd > > deny tcp any any eq 6667 > > deny udp any any eq 6667 > > remark *** icmp fragments > > deny icmp any any fragments > > remark *** inbound ping > > permit icmp any any echo > > remark *** inbound ping response > > permit icmp any any echo-reply > > remark *** path MTU to function > > permit icmp any any packet-too-big > > remark *** flow control > > permit icmp any any source-quench > > remark *** time exceeded messages for traceroute and loops > > permit icmp any any time-exceeded > > remark *** block all other ICMP packets > > deny icmp any any > > remark *** permit everything else > > permit ip any any > >=20 > > Check this site for an excellent guide=20 > > http://www.nsa.gov/snac/cisco/index.html > > >
