> I don't have a postscript printer. Anyone have a text file of this ?
> At 09:25 AM 2/26/98 -0500, you wrote:
> >You wrote:
> >>I'm looking for examples and suggestions for building a fairly tight
> >firewall access-list
> >>on a Cisco router running 10 or 11 code.
> >Don't. See Brent Chapman's article
> >(http://rootshell.connectnet.com/docs/packet_filt_chapman.ps.gz) for why.
> >Very recent IOS is not as bad, but is still highly suspect.
Well, I just read Mr. Chapman's article (very good overview of the problems
inherent with packet filters), but don't see anything that says a Cisco
packet filter is any worse than any other packet filtering firewall.
I would recommend reading it.
As for the recommendations, do it like all firewall security.
Then allow only those necessary services. You will probably need to
allow most things out, only allow established back in plus only those
things that are absolutely necessary. Realize that not much is absolutely
necessary. You may have to allow some DNS stuff through for zone transfers.
There shouldn't be much else that needs to originate on the internet.
(NTP maybe, if you are running it.)
A DMZ is a good idea, run a mail server there (or a proxy mail server.)
Pick up a good Firewall book, I like "Building Internet Firewalls" by
Chapman and Zwicky and "Firewalls and Internet Security" by Cheswick and
Finally, don't just count on your firewall, you still need to secure your