From: Howard Berkowitz <hcb @
clark .
net>
Subject: Re: CISCO configuration, part II
>
> Thank's for everybody who explain me how to configure access rules, but....
>
> I apply following rules:
>
> acces-list 111 deny ip x.y.z.0 0.0.0.255 x.y.z.0 0.0.0.255
> acces-list 111 deny ip 127.0.0.0 0.255.255.255 x.y.z.0 0.0.0.255
> acces-list 111 permit tcp 0.0.0.0 255.255.255.255 x.y.z.0 0.0.0.255
^^^
This probably needs to be permit ip. Permit tcp allows the TCP traffic,
but blocks ICMP, UDP, and other traffic not encapsulated in TCP.
Also, the destination, in this case, should be 0.0.0.0 255.255.255.255,
otherwise you block multicast traffic, which would hose you if you're
using OSPF to talk to the router (you could permit 224.0.0.0 0.0.0.255 to
just allow the local multicast groups).
However in any case, one is allowing in all of the OTHER attacks
while blocking the spoofing attack. This covers about 1/1000th of the
possible attacks on people.
My suggestion is:
put your address-spoof-denies first
continue with a REAL firewall ACL configuration
(e.g. only allow implicitly controlled stuff)
References:
|
|
