Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Access-list security
- Thread starter robward
- Start date
rocketrob,
I use an ACL like the one below for setting up most SOHO routers. It keeps out most of the scrip-kidde probs and allows the users do most of those things they desire. I mostly let thru DNS (port 53) and 80). If you have a syslog server you can include the log command but test it to see how much you start logging. I was logging ports 135 and 139 and was just getting to much crap for it to be useful (about 100 or so lines a MINUTE!!)
You can also use tools like Shields-up at
to test your ACL's and what is coming thru.
access-list 150 permit tcp any eq log
access-list 150 deny tcp any eq 1029 any log
access-list 150 deny udp any eq 1029 any log
access-list 150 deny tcp any eq echo any log
access-list 150 deny tcp any eq discard any log
access-list 150 deny tcp any eq daytime any log
access-list 150 deny tcp any eq 17 any log
access-list 150 deny tcp any eq chargen any log
access-list 150 deny tcp any eq 42 any log
access-list 150 deny tcp any eq finger any log
access-list 150 deny tcp any eq 88 any log
access-list 150 deny tcp any eq 135 any
access-list 150 deny tcp any eq 139 any
access-list 150 deny tcp any eq 389 any
access-list 150 deny tcp any eq 443 any log
access-list 150 deny tcp any eq 445 any log
access-list 150 deny tcp any eq 464 any log
access-list 150 deny tcp any eq lpd any log
access-list 150 deny tcp any eq 593 any log
access-list 150 deny tcp any eq 636 any log
access-list 150 deny tcp any eq 1026 any log
access-list 150 deny tcp any eq 1034 any log
access-list 150 deny tcp any eq 1037 any log
access-list 150 deny tcp any eq 1058 any log
access-list 150 deny tcp any eq 1080 any log
access-list 150 deny tcp any eq 1434 any log
access-list 150 deny tcp any eq 3389 any log
access-list 150 permit ip any any
SF18C
CCNP, MCSE, A+, N+ & HPCC
"Tis better to die on your feet than live on your knees!"
I use an ACL like the one below for setting up most SOHO routers. It keeps out most of the scrip-kidde probs and allows the users do most of those things they desire. I mostly let thru DNS (port 53) and 80). If you have a syslog server you can include the log command but test it to see how much you start logging. I was logging ports 135 and 139 and was just getting to much crap for it to be useful (about 100 or so lines a MINUTE!!)
You can also use tools like Shields-up at
to test your ACL's and what is coming thru.
access-list 150 permit tcp any eq log
access-list 150 deny tcp any eq 1029 any log
access-list 150 deny udp any eq 1029 any log
access-list 150 deny tcp any eq echo any log
access-list 150 deny tcp any eq discard any log
access-list 150 deny tcp any eq daytime any log
access-list 150 deny tcp any eq 17 any log
access-list 150 deny tcp any eq chargen any log
access-list 150 deny tcp any eq 42 any log
access-list 150 deny tcp any eq finger any log
access-list 150 deny tcp any eq 88 any log
access-list 150 deny tcp any eq 135 any
access-list 150 deny tcp any eq 139 any
access-list 150 deny tcp any eq 389 any
access-list 150 deny tcp any eq 443 any log
access-list 150 deny tcp any eq 445 any log
access-list 150 deny tcp any eq 464 any log
access-list 150 deny tcp any eq lpd any log
access-list 150 deny tcp any eq 593 any log
access-list 150 deny tcp any eq 636 any log
access-list 150 deny tcp any eq 1026 any log
access-list 150 deny tcp any eq 1034 any log
access-list 150 deny tcp any eq 1037 any log
access-list 150 deny tcp any eq 1058 any log
access-list 150 deny tcp any eq 1080 any log
access-list 150 deny tcp any eq 1434 any log
access-list 150 deny tcp any eq 3389 any log
access-list 150 permit ip any any
SF18C
CCNP, MCSE, A+, N+ & HPCC
"Tis better to die on your feet than live on your knees!"
- Thread starter
- #3
- Status
Similar threads
