Nice link.
Some comments:
In ACL 102, the first 3 lines are redundant, and should be removed - they'll
be picked up by the other deny statements. I'd also move the next three
below the permit, for speed of processing (very minor performance win, but
you're the one that turned off logging console ;)
Apparently, denying unreachables doesn't stop the router sending TTL expired
packets - go figure. If you're really paranoid and want to stop firewalking
you need to use an outbound list on the external interface - your list 102
will work fine, as long as people remember about NAT when changing the IP
addresses.
I'd not allow inbound tcp for NNTP - it's only required if you host an NNTP
server, isn't it? Why not comment it out, like the X and NFS stuff?
I'd also strip udp port 137 before the logged deny - there's probably as
much of that as ident out there.
Other than that, that's a damn fine static-ACL config. Aren't selective ACK
and path-MTU enabled by default anyway? In any case, they only affect
traffic that is generated by the router itself, so they're of very minor
importance.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 03, 2001 5:31 AM
> To: JR Ponce de Leon
> Cc: [EMAIL PROTECTED]
> Subject: Re: Cisco Router as Bridge/Firewall.
>
>
>
> http://pasadena.net/cisco
>
>
> On Mon, 23 Apr 2001, JR Ponce de Leon wrote:
>
> > Can somebody point me to a good documentation on how to
> setup a Cisco router
> > as a Bridge/Firewall?
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
