Re: Firewalls-Digest V8 #943

[Paul D. Robertson]

On Thu, 20 Apr 2000, John Adams wrote:

> ip access-list extended s0-in
>  deny   ip 10.0.0.0 0.255.255.255 any log
>  deny   ip 0.0.0.0 0.255.255.255 any log
>  deny   ip host 255.255.255.255 any log

I'd expand this to mask at 0.255.255.255

>  deny   ip 127.0.0.0 0.255.255.255 any log
>  deny   ip 224.0.0.0 15.255.255.255 any log

I don't know the mask off the top of my head, but I'd definitely look at
the entire Class D and E spaces.

>  deny   ip 240.0.0.0 7.255.255.255 any log
>  deny   ip 192.0.2.0 0.0.0.255 any log
>  deny   ip 169.254.0.0 0.0.255.255 any log

You're missing 192.168/16 and 172.16/12

(See draft-manning-dsua-02.txt 17 April 2000 if you prefer
a semi-authoritative source)

> 
>  deny   tcp any any eq 6666 log
>  deny   tcp any any range 6000 6100 log
>  deny   tcp any any eq 18000 log
>  deny   tcp any any eq 7007 log
>  deny   tcp any any eq 5050 log
>  deny   tcp any any eq 1521 log
>  deny   tcp any any eq 1522 log
>  deny   tcp any any eq 1526 log
>  deny   tcp any any eq 1031 log
>  deny   tcp any any eq 2049 log
>  deny   tcp any any eq 4045 log
>  deny   tcp any any eq 1030 log
>  deny   tcp any any eq 1032 log
> 
>  deny   udp any any eq tftp log
>  deny   udp any any eq sunrpc log
>  deny   udp any any eq 2049 log
>  deny   udp any any eq tftp
>  deny   udp any any eq 4045 log
>  deny   udp any any eq syslog
>  permit udp any any

Just so you're aware this is a Mack Truck-sized hole.

> 
>  permit tcp any any lt 1024 established
>  permit tcp any any gt 1023

Given the number of trojans available, I'd be hesitant to open up a hole
this large too.

> 
>  permit tcp any any yourwebserverip 0.0.0.0 eq http
> 
> ! note that this ruleset blocks icmp, so you can't ping out or in. 
> 
> ! the next rule is implied.
> deny ip any any 
> 

I think I may have lost my default list at the last job change, but I'll
grep around and see if I can find a copy too.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
[EMAIL PROTECTED]      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]