[prev in list] [next in list] [prev in thread] [next in thread]
List: cisco-nsp
Subject: [nsp] RE: UDP broadcast filters.
From: Ted Mittelstaedt <tedm () portsoft ! com>
Date: 1998-03-16 19:40:36
[Download RAW message or body]
1) Telnet into the router
2) issue an "enable" command
3) issue a "config" command
4) Create an "ip access group" that lists all your rulesets. What I do is to build \
one in Notepad, then cut and paste from there to the telnet window. Here's a snippet \
of mine, 201.207.3.226 is the interior firewall. Note that this can be built to \
either be applied to incoming or outgoing packets, and can be applied to either the \
serial interface or the ethernet interface. You have to re-write the list if you \
change how it's applied, the following is applied to incoming packets to the serial \
interface:
access-list 101 permit tcp any any established
access-list 101 deny ip 201.207.3.224 0.0.0.224 0.0.0.0 255.255.255.224
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq hostname
access-list 101 permit tcp any host 201.207.3.226 eq smtp
access-list 101 permit tcp any host 201.207.3.226 eq pop3
access-list 101 permit tcp any host 201.207.3.226 eq domain
access-list 101 permit udp any host 201.207.3.226 eq domain
access-list 101 permit udp any host 201.207.3.226 eq nameserver
access-list 101 permit tcp any host 201.207.3.226 eq ftp
access-list 101 permit tcp any host 201.207.3.226 eq ftp-data
access-list 101 permit tcp any any gt 1023
access-list 101 permit udp any any gt 1023
Depending on how nasty that your users are you may want to block some of their \
outgoing traffic. Common blocks are on SMTP - which forces all outbound SMTP to \
spool through your mailserver and greatly discourages spammers from using your dialup \
accounts. Another popular one is a block on TCP traffic on Real Audio, to force \
people to use UDP as a transport. This requires a second access list.
5) Cntl-Z then do a sh running-config to make sure that the access list is properly \
built 6) Go back into config, then apply the list to the desired interface - in my \
case the command is "config, in s0.1, ip access-group 101 in, exit, exit" 7) Sit \
back and wait for your users to scream because something you are inadvertently \
blocking is something that they were using. ;-) Repeat steps 1-6 until satisfied.
Ted
PS: While this firewall is going to be better than nothing (you need to substitute \
the appropriate IP numbers for your network, of course) you really need to learn a \
lot about the basic protocol of TCP/IP and it's implementation to write a good one as \
well as know exactly what all your external hosts are doing. There is always trial \
and error in this business, you start with the most restrictive access list possible, \
then gradually add openings to it as users complain.
----------
From: jlixfeld@idirect.ca[SMTP:jlixfeld@idirect.ca]
Sent: Monday, March 16, 1998 1:40 AM
To: Cisco-NSP; Cisco at Colorado
Subject: UDP broadcast filters.
I've kept hearing about a UDP smurf floating around and I'd like to put up
a firewall to prevent it. Can anyone give me any insight on how this is
done? I don't understand enough about UDP, broadcasts or enough about
access-lists to create an effective one. Can anyone give me some
pointers?
--
Regards,
Jason A. Lixfeld jlixfeld@idirect.ca
System Administrator [L5] jlixfeld@torontointernetxchange.net
---------------------------------------------------------------------
TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company"
Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs"
5415 Dundas Street West | http://www.torontointernetxchange.net
Suite 301, Toronto Ontario | (416) 236-5806 ext 18 (T)
M9B-1B5 CANADA | (416) 236-5804 (F)
---------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic