On Nov 10, 1:24pm, Corneliu Tanasa wrote:
> Subject: Re: Subnetting and Cisco ACL's
> Rob Sansom wrote:
>
> > Here's the ACL I plan to use for this example:
> >
> > ! Deny spoofers
> > access-list 111 deny ip 123.456.789.0 0.0.0.255 any log
> > ! Permit ftp
> > access-list 111 permit tcp any host 123.456.789.35 eq ftp
> > ! Log the rest
> > access-list 111 deny ip any 123.456.789 0.0.0.255 log
> >
> > And how I plan to use it.
> >
> > int s0 ip access-group 111 in
> Yes, it seems to be correct.
Almost. It is no good permitting ftp unless you also permit the
ftp-data port. That requires an additional line in the access list:
! Permit ftp data port as well
access-list 111 permit tcp any host 123.456.789.35 eq ftp-data \
established
NOTE: Setting the established flag assumes that your ftp server will be
opening the data connection in response to a PORT command, rather than
operating in passive mode.
You may also need to permit other protocols, depending on your
configuration:
- DNS queries, so that the ftp server can log host names, rather than
the IP addresses
- icmp (echo request/reply, host/port unreachable)
> Abyway, I think that will be a good idea
> to filter also the (possible) spoofed packets that might leave your
> network. I mean that it will be a good protection for the other
> providers...
>
> Add something like:
> ! Permit outgoing only for your packets
> access-list 112 permit ip 123.456.789.0 0.0.0.255 any
> ! Log and deny any spoofing attempt from your network
> access-list 112 deny ip any any log
>
> int s0
> ip access-group 111 in
> ip access-group 112 out
>
>
> Regards,
> Corneliu Tanasa
> Network Admin
> LOGIC TELECOM - ROMANIA
>
>-- End of excerpt from Corneliu Tanasa
Tim Frost
--
Tim Frost, Systems Engineer (Unix) Email: Tim .
Frost @
nz .
eds .
com
EDS (NZ) Ltd, Voice: +64 4 495-0504
P.O. Box 3647, Fax: +64 4 474-5130
Wellington, New Zealand.
References:
|
|
