Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port 7 Echo port

Status
Not open for further replies.
Joined
Oct 3, 2001
Messages
76
Location
US
Hello all,
What would be the command to close UDP port 7 which is the echo port?

Thanks in advance.
 
you can create an extended access-list:

access-list 101 deny icmp any any <what you want to deny exactly goes here>

After the second any, you can specify any of the following to deny them:

r1(config)#access-list 101 deny icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
dscp Match packets with given dscp value
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
<cr>

Then you would have to have a permit statement aftwards to let everything else through...

access-list 101 permit ip any any

then you have to apply it to the interface. from interface configuration mode:

r2(config-if)#ip access-group <access-list # here> inbound|outbound

for the example above it would be

r2(config-if)#ip access-group 101 in Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com
 
Look in the config for

service tcp-small-servers
service udp-small-servers

and remove them with 'no ...'

Cheers *Rob
 
Krr's solution is the easiest.
Setting up access lists for these ancient services creates overhead. No one uses
the udp echo service anymore and it is a potential security problem (dos).
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top