×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Security, hacker detection & forensics FAQ

Access Lists

Can someone show me a good guide to writing an access list? by LloydSev
Posted: 10 May 05 (Edited 23 May 05)

1) Every ACL command starts with "Access-list".

Command Thus far:  "Access-list"

2) Every ACL must have a group name, to group the list together. We'll use "test".

Command Thus far:  "Access-list test"

3) Every ACL command must specify whether to permit or deny. For this example, we'll use "deny".

Command Thus far:  "access-list test deny"

4) Every ACL must specify what protocol to filter by. IP, TCP, UDP, etc..  We'll use "IP" for this.

Command Thus far:  "access-list test deny ip"

5) Every ACL must specify what addresses to apply the filter to.  Remember that the first address listed is ALWAYS the SOURCE address.  Now let's also assume our Network Admin hates google, and is paranoid..  so he wants to block all access he thinks google is trying to make to his system..

Command Thus far:  "access-list test deny ip 64.233.167.147 255.255.255.255"

Note: You use 255.255.255.255 to specify that we are dealing with one host. You can also use the following command to shorten the ACL further:

Command Thus far:  "access-list test deny ip host 64.233.167.147"

Note: This method reduces characters used, and helps make the command more understandable, as you are blocking that one host.

6) Every ACL must also specify the hosts to which the source is trying to reach..  we'll assume we have multiple networks inside our network..  193.100.1.0 and 193.100.4.0

Command thus far:  "access-list test deny ip host 64.233.167.147 193.100.0.0 255.255.0.0

Note: This will effectively block google from making a connection to both networks, and all networks between and after on that network..  to shorten that up, you can use the following to block google from making connections to "ALL or ANY networks" inside.

Completed ACL Command:  "access-list test deny ip host 64.233.167.147 any"

Note: As you notice, this reduced characters dramatically, and effectively blocks the host google from connection to ANY node or network on any interface connected to the PIX.

7) Now, if you wanted to filter by port #, say port 80, as every paranoid Network Admin knows..  when google reaches out to hack you, it will only do so on port 7485..  and using TCP of course..  here is what it would look like.

Completed ACL Command:  "access-list test deny tcp host 64.233.167.147 any eq 7485

Note: As you notice, we added "eq" to the equation.  This indicator tells the PIX that the next modifier is the port to filter on.

8) And then of course, you must bind the access-list to an interface..

Command: "access-group test in interface outside"

Note: This command binds access-list test to all traffic coming into the outside interface. The command will always be the same, except the access-list name and interface..  always into an interface"

This specific example showed how to make an ACL which filters traffic coming from the "outside" into the PIX.  The same can be applied to any interface, as long as you make sure to remember that the first address is the "source", and the second is the "destination".  So for an ACL covering the "inside" interface, you must specify the internal host or network first, before the public IP or network.

I hope this helps!
Lloyd Severence

Back to Security, hacker detection & forensics FAQ Index
Back to Security, hacker detection & forensics Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close