OUTSIDE ACL

From: kpalmer (kip.palmer@xxxxxxxxxxx)
Date: Sun Jul 14 2002 - 07:55:10 GMT-3

• Next message: Jeff Kesemeyer: "Labs and Notes"
• Previous message: kpalmer: "Labs needed"
• Next in thread: Rob Hopkins: "Re: OUTSIDE ACL"
• Maybe reply: Rob Hopkins: "Re: OUTSIDE ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
My conclusion on my web going down last night
is that the comprehensive ACL that I applied
to the outside interface was so comprehensive
it exhausted my 2500 router's limits.

>From the inside going out, it was unbearable.
You probably experienced the same from your
side before the collapse.

I'm not scared to share it for a collaboration of
thoughts.(seeing my IP has changed:)

I mean, heck, try and hack it? It's educational
for me. Just let me know if you are successful.

(X.X.X.X is a customer)

access-list 105 deny ip host 0.0.0.0 any log
access-list 105 deny ip any host 0.0.0.0 log
access-list 105 deny ip 10.0.0.0 0.255.255.255 any log
access-list 105 deny ip 127.0.0.0 0.255.255.255 any log
access-list 105 deny ip 169.254.0.0 0.0.255.255 any log
access-list 105 deny ip 172.16.0.0 0.15.255.255 any log
access-list 105 deny ip 192.168.0.0 0.0.255.255 any log
access-list 105 deny ip 224.0.0.0 31.255.255.255 224.0.0.0
31.255.255.255 log
access-list 105 deny ip any 255.0.0.0 0.255.255.255 log
access-list 105 permit tcp any 55.5.0.0 0.0.63.255 established
access-list 105 permit udp host 131.119.245.4 any log
access-list 105 permit udp 4.2.2.0 0.0.0.255 eq 53 55.5.0.0 0.0.63.255
gt 1023 log
access-list 105 permit udp host X.X.X.X 55.5.0.0 0.0.63.255 eq snmp log
access-list 105 permit udp host X.X.X.X 55.5.0.0 0.0.63.255 eq snmp log
access-list 105 permit udp host 205.188.185.33 55.5.0.0 0.0.63.255 eq
123 log
access-list 105 permit udp host 63.149.208.50 55.5.0.0 0.0.255.255 eq
123 log
access-list 105 permit icmp host 55.5.0.1 host 55.5.22.22 echo
access-list 105 permit icmp host 55.5.0.1 host 55.5.22.22 echo-reply
access-list 105 permit icmp host 131.119.245.4 host 55.5.22.22 echo log
access-list 105 permit icmp host 131.119.245.4 host 55.5.22.22
echo-reply log
access-list 105 deny udp any any log
access-list 105 permit tcp any host 55.5.22.22 eq 80 log
access-list 105 permit tcp any host 55.5.22.22 eq 21 log
access-list 105 permit tcp any host 55.5.22.22 gt 1023 log
access-list 105 deny ip any any log

======================
I let through:

Web 80
FTP 21, >1023
Time server
Dhcp server
SNMP remote informs
DNS

>CCO Tech Notes on DHCP Protocols:

Trivial File Transfer Protocol (TFTP) (port 69)
DNS (port 53), time service (port 37)
NetBIOS name server (port 137)
NetBIOS datagram server (port 138)
Boot Protocol (DHCP/BootP) client and server datagrams (ports 67 and 68)

Terminal Access Control Access Control System (TACACS) service (port 49)

IEN-116 name service (port 42)
=======================

KPalmer
Janitor

• Next message: Jeff Kesemeyer: "Labs and Notes"
• Previous message: kpalmer: "Labs needed"
• Next in thread: Rob Hopkins: "Re: OUTSIDE ACL"
• Maybe reply: Rob Hopkins: "Re: OUTSIDE ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:29 GMT-3