On Sat, 12 Jan 2002, Skeeve Stevens wrote: > Can someone assist me with the lines to block specific ports in IOS > > 12.1(5)YB2
Someone's already answered that part... > > basically.. I want to be able to specify a port.. such as 139 and block > its tcp and udp traffic coming in via my main fibre link. > > I am assuming it is an access list and they are specified as deny, and > allow rest of the traffic.. The _best_ way to do this is to add explicit permit statements for the traffic you want to allow- there are two reasons for this: A: Security is better with known-necessary rather than known-bad controls. B: Performance, performance, performance. Cisco access lists are "first match," and once you put anything in an access list, you automatically get an invisible default deny at the bottom of the access list. If the first thing to match is the bulk of your traffic the router doesn't have to do much work at all to filter and you'll save *lots* of router CPU. If the bulk of your traffic is HTTP coming back to your firewall, allow ack'd stuff from port 80 first, then stuff to your Web and mail servers. On some hardware (and it's changed a lot) outbound access lists are still faster than inbound ones, but for the most part you'll get at least fast switching even on inbound lists. I still tend to place the bulk of my extended access lists as outbound on the internal interface, leaving only inbound anti-spoofing rules as inbound on the external interface. If you want to profile the traffic first, set up a syslog server, and use the log statement to find out what's passed, or if you've got a lot of traffic, set up a week-long perid where there's a permit for anything with a log as the last rule, then remove it once you've taken care of all the legitimate traffic. The documentation for switching modes and Cisco routers isn't all in one place, but for the most part, unless you're already close to overwhelmed, following the permit the bulk first stuff will make things ok. In extreme cases, it may be advantageous to go to netflow switching, even though the first packet of each flow is process switched. Very few products these days don't at least fast switch extended access lists (you lose the ability to silicon switch with access lists, but every other switching method is possible.) HTH, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
