Gerardo,
access-list 101 deny tcp any any eq 113 log
Denies packets where the _destination_ port is 113, not where the source
port is 113. If you wanted to deny packets where the source port is 113
you would need to change the entry to:
access-list 101 deny tcp any eq 113 any log
Without seeing your entire access-list, it's hard to make further
recommendations, but at a minimum you probably want to only allow in
what you specifically want and deny everything else.
A typical access-list for Internet connected routers would have entries
blocking incoming packets claiming to be from RFC 1918 addresses and
from your internal addresses. (anti-spoofing) I normally also block
addressess claiming to be from loopback, multi-cast and broadcast
addresses.
Then you'll want to permit TCP replies via:
access-list 101 permit tcp any any gt 1024 established
If you use UDP, you'll want to permit that as well. I like to nail it
down though to only those UDP services I use. DNS is the most common:
access-list 101 permit udp any eq 53 any gt 1024
Finally you'll add any specific traffic you permit to be initiated
inbound to your network.
If your using the router as your only defense on your security
perimeter, I strongly recommend you take a look at Context Based Access
Control (CBAC) which is available in the firewall feature set on Cisco
routers. It provides stateful packet filtering and is much more robust
than traditional extended IP access-list filtering.
If you need any further assistance, feel free to contact me off-line.
HTH,
Kent
Kent Hundley
INS
-------------------------------------------------------------
[snip]
My question in turn is the following :
I have configured my cisco router to deny-permit (with an access-list)
some ports and protocols.
Since ( thanks to all of you ) I could set up
a logging machine other than the router , I am watching what is coming
in
and out of my network through the logs that i get directly from the
router
and the tcpdump . My problem is that some of the ports that I have
blocked
are still letting in some connections tcp udp for example 113.
Also now these guys are sending tcp udp packets to ports higher than
1024
How can I stop this and how can such actions affect my site ?
Here is a little part of my logs:
Jun 1 13:10:26 kraken2 157796: *Apr 24 19:41:14: %SEC-6-IPACCESSLOGP:
list 101 permitted tcp 209.182.195.70(113) -> 200.38.80.1(20615), 1
packet
[snip]
Let me assure you that I have:
access-list 101 deny tcp any any eq 113 log
included in my access-list
Thanks in advance !!!!!
Gerardo,
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
