Member of The Internet Defense League Últimos cambios
Últimos Cambios
Blog personal: El hilo del laberinto Geocaching

Re: [nsp] Cisco Recommended Filters

Última Actualización: 23 de Enero de 1.998 - Viernes 

From: Jim Warner <warner@cats.ucsc.edu>
Date: Sat, 3 Jan 1998 10:00:56 -0800
Message-ID: <199801031800.KAA11705@sasha.UCSC.EDU>
To: cisco-nsp@iagnet.net
Subject: Re: [nsp] Cisco Recommended Filters

tom@iconnections.net asked for examples of ingress filters. Below I've pasted the 'show access-list' display from the University's filter, adding line numbers on the left. Comments welcome.

Two points often get missed in this discussion:

  • "no ip directed-broadcast" must be set on all interfaces on all routers to be effective. Doing this only on the edge or ingress router doesn't work. If you can't do this everywhere, use filtering instead.
  • On ciscos, it is necessary to block both the zero-filled and ones-filled form of the directed broadcast address (lines 4 AND 5 below).

Extended IP access list 101 

 1   permit tcp any any established (761043 matches)
 2   permit udp any any eq domain (617933 matches)
 3   permit ip host 128.114.xxx.yyy any (10569 matches)
 4   deny   ip any 128.114.0.255 0.0.255.0 log (6 matches)
 5   deny   ip any 128.114.0.0 0.0.255.0 log (29372 matches)
 6   permit icmp any any (127580 matches)
 7   deny   ip 128.114.0.0 0.0.255.255 any (3 matches)
 8   deny   ip 169.233.0.0 0.0.255.255 any
 9   deny   ip 10.0.0.0 0.255.255.255 any (25 matches)
10   deny   ip 127.0.0.0 0.255.255.255 any (33 matches)
11   deny   ip 172.16.0.0 0.0.255.255 any
12   deny   ip 192.168.0.0 0.0.255.255 any (37 matches)
13   deny   tcp any 169.233.0.0 0.0.255.255 eq smtp (192 matches)
14   deny   ip any host 128.114.xxx.xxx
15   deny   ip any host 128.114.xxx.yyy
16   deny   ip any host 128.114.xxx.www
17   deny   ip any host 128.114.www.zzz
18   deny   udp any any eq sunrpc (56 matches)
19   deny   udp any any eq 2049 (136 matches)
20   deny   tcp any any eq sunrpc (10 matches)
21   deny   tcp any any eq 2049 (8 matches)
22   deny   udp any any eq snmp (757 matches)
23   permit ip any any (848648 matches)

line 1 -- efficiency trick. An "established" connection must have passed all tests when it was initiated.

line 2 -- short path for domain name service.

line 3 -- Exception to policy for a monitoring computer outside the barrier. xxx.yyy is not a wild card. It's a specific address whose value you don't need to know.

line 4,5 Since I know the netmask on my subnets, these lines block smurf bouncing. Among other things, protects the campus against land.c attacks.

line 7,8 Addresses 128.114.0.0/16 and 169.233.0.0/16 are inside the barrier. This blocks spoofers from outside masquerading as local hosts.

10,11,12 Private address space may not appear as source addresses

line 13 Guys on this net MUST use the official campus mail server

14-17 Four specific computers not permitted to talk to the outside world.

18-21 Campus NFS servers are off-limits to the outside world.

22 The network management port is blocked

23 Permit the rest ...

Not shown here, we have "no ip directed-broadcasts" set on all interfaces connecting to the 169.233.x.x net. We use ingress filtering instead on our other net because directed broadcasts are used internally.

Python Zope ©1998 jcea@jcea.es

Más información sobre los OpenBadges

Donación BitCoin: 19niBN42ac2pqDQFx6GJZxry2JQSFvwAfS