Here's something I cooked up a while back that I always slap on
the Internet-facing interface of my routers.
[Note: fa0-0 is just an interface on one of my routers that happens
to be an Internet-connected interface.]
On the "LAN" router interfaces [i.e. where your machines and networks
reside], it's a good idea to slap on specific access-lists tailored to the
services being run on your network.
!
! inbound-fa0-0
! Inbound ACL on FA0/0
!
no ip access-list extended inbound-fa0-0
ip access-list extended inbound-fa0-0
! Block packets spoofing your address space
deny ip <YOUR ADDRESS SPACE> <YOUR CISCO MASK> any
! Block packets with no source address
deny ip host 0.0.0.0 any
! Block localhost network source addresses
deny ip 127.0.0.0 0.255.255.255 any
! Block multicast (class D) source addresses
deny ip 224.0.0.0 15.255.255.255 any
! Block class E (reserved for future use) source addresses
deny ip 240.0.0.0 15.255.255.255 any
! Block RFC 1918 private networks addresses
deny ip 10.0.0.0 0.255.255.255 any ! 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
deny ip 172.16.0.0 0.15.255.255 any ! 172.16.0.0 - 172.31.255.255
(172.16.0.0/1
2)
deny ip 192.168.0.0 0.0.255.255 any ! 192.168.0.0 - 192.168.255.255
(192.168.0.
0/16)
! Block LINKLOCAL source addresses
deny ip 169.254.0.0 0.0.255.255 any
! Permit everything else
permit ip any any
! Deny anything else
deny ip any any
!
! outbound-fa0-0
! Outbound ACL on FA0/0
!
no ip access-list extended outbound-fa0-0
ip access-list extended outbound-fa0-0
! Block packets with no source address
deny ip host 0.0.0.0 any log
! Block localhost network source addresses
deny ip 127.0.0.0 0.255.255.255 any log
! Block multicast (class D) source addresses
deny ip 224.0.0.0 15.255.255.255 any log
! Block class E (reserved for future use) source addresses
deny ip 240.0.0.0 15.255.255.255 any log
! Block RFC 1918 private networks addresses
deny ip 10.0.0.0 0.255.255.255 any log ! 10.0.0.0 - 10.255.255.255
(10.0.0.0/8)
deny ip 172.16.0.0 0.15.255.255 any log ! 172.16.0.0 - 172.31.255.255
(172.16.0
.0/12)
deny ip 192.168.0.0 0.0.255.255 any log ! 192.168.0.0 - 192.168.255.255
(192.16
8.0.0/16)
! Block LINKLOCAL source addresses
deny ip 169.254.0.0 0.0.255.255 any log
permit ip any any
! Deny anything else
deny ip any any
!!!!!!!
!
! Or optionally replace this outbound ACL list with these two lines:
!
! permit ip <YOUR ADDRESS SPACE> <YOUR CISCO MASK> any
! deny ip any any
! Why? This guarantees only packets from the explicit address space
! defined in your ACLs make their way out onto the Internet.
---
Matt Hite
Senior Systems Administrator
[EMAIL PROTECTED]
on 12/19/00 1:00 AM, Firewalls-Digest at
[EMAIL PROTECTED] wrote:
>
> Date: Mon, 18 Dec 2000 17:31:45 +0100
> From: Bernd Eckenfels <[EMAIL PROTECTED]>
> Subject: Re: Recommended blocking for Internet-router
>
> On Mon, Dec 18, 2000 at 09:30:25AM +0100, Robert Olsson wrote:
>> Are there some sort of guidelines on what should be blocked on an
>> Internet-router? RFC 1918 addresses and TCP/UDP-ports 137-139 are of
>> course well-known,
>
> in addition to that spoofing filters. Pevent IP Addresses which do not
> belong to you from leaking out your network. And prevent addresses which
> belong to your internal network from coming (as source address) from the
> outside.
>
> In addition to that disalow broadcast and network .255 and .0 targets into
> your system.
>
> You should not add aditional rules to the border router, unless it is part
> of your Firewall Installation.
>
> Greetings
> Bernd
>
> - -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> ------------------------------
>
> Date: Mon, 18 Dec 2000 08:36:32 -0800
> From: "Network Operations" <[EMAIL PROTECTED]>
> Subject: RE: How to keep port scannings away?
>
> After a couple years of getting hammered by the same subnets over and over,
> and having all complaints systematically Ignored, we finally put in border
> router ACL's filtering all traffic from the offending networks. Now the
> traffic never even shows up in the firewall logs.
>
> Here are some of the networks we filter (not inclusive):
>
> Access-list 1 deny 216.0.0.0 0.252.255.255 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> Access-list 1 permit 0 0
>
> This is your standard Cisco IOS ACL. that blocks all the RFC1918 (private)
> address spaces (plus 216.0.0.0 which I think is @home or some other
> perpetually offensive ISP)
>
> We also filter all of 210.0.0.0, and 211.0.0.0, which are a bunch of APNIC
> registered networks (ASIA) because of a history of abuse. There are also
> several European (RIPE) networks we filter (one that comes to mind is Romania)
> for the same reasons..
>
> cheers..
>
> 7
>
> - -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> ------------------------------
>
> Date: Mon, 18 Dec 2000 08:39:14 -0800
> From: "Network Operations" <[EMAIL PROTECTED]>
> Subject: Re: Recommended blocking for Internet-router
>
> Depending on which type of router you're using this is a good place to start:
>
> http://www.cisco.com/warp/public/707/21.html
>
>>>> Robert Olsson <[EMAIL PROTECTED]> 12/18/00 12:30AM >>>
> Are there some sort of guidelines on what should be blocked on an
> Internet-router? RFC 1918 addresses and TCP/UDP-ports 137-139 are of
> course well-known, but is there anything else that is recommended or
> perhaps even required? I had a faint memory of seeing something about
> this on ISOC's homepage but found nothing. Anyone with ideas?
>
> //Robert
>
> - -----------------------------------------------------------------
> Robert Olsson Fiberdata Nord AB
> tel: 021-10 43 52 Skivfilargrand 2
> GSM: 070-301 03 71 731 20 Vasteras
> [EMAIL PROTECTED] www.fiberdata.se
> - -
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
