From: Rob Hopkins (rshopkins@xxxxxxxxxxxxx)
Date: Mon Jul 15 2002 - 13:34:34 GMT-3
The ACL probably didnt kill it, logging every packet may have...
Try scaling back the logging, granted you acl may keep someone out, but a
port scan might
turn out to be a DOS.. go with an IDS on the inside, and outside if you
can.
----- Original Message -----
From: "kpalmer" <kip.palmer@verizon.net>
To: <ccielab@groupstudy.com>
Sent: Sunday, July 14, 2002 6:55 AM
Subject: OUTSIDE ACL
> My conclusion on my web going down last night
> is that the comprehensive ACL that I applied
> to the outside interface was so comprehensive
> it exhausted my 2500 router's limits.
>
> From the inside going out, it was unbearable.
> You probably experienced the same from your
> side before the collapse.
>
> I'm not scared to share it for a collaboration of
> thoughts.(seeing my IP has changed:)
>
> I mean, heck, try and hack it? It's educational
> for me. Just let me know if you are successful.
>
> (X.X.X.X is a customer)
>
> access-list 105 deny ip host 0.0.0.0 any log
> access-list 105 deny ip any host 0.0.0.0 log
> access-list 105 deny ip 10.0.0.0 0.255.255.255 any log
> access-list 105 deny ip 127.0.0.0 0.255.255.255 any log
> access-list 105 deny ip 169.254.0.0 0.0.255.255 any log
> access-list 105 deny ip 172.16.0.0 0.15.255.255 any log
> access-list 105 deny ip 192.168.0.0 0.0.255.255 any log
> access-list 105 deny ip 224.0.0.0 31.255.255.255 224.0.0.0
> 31.255.255.255 log
> access-list 105 deny ip any 255.0.0.0 0.255.255.255 log
> access-list 105 permit tcp any 55.5.0.0 0.0.63.255 established
> access-list 105 permit udp host 131.119.245.4 any log
> access-list 105 permit udp 4.2.2.0 0.0.0.255 eq 53 55.5.0.0 0.0.63.255
> gt 1023 log
> access-list 105 permit udp host X.X.X.X 55.5.0.0 0.0.63.255 eq snmp log
> access-list 105 permit udp host X.X.X.X 55.5.0.0 0.0.63.255 eq snmp log
> access-list 105 permit udp host 205.188.185.33 55.5.0.0 0.0.63.255 eq
> 123 log
> access-list 105 permit udp host 63.149.208.50 55.5.0.0 0.0.255.255 eq
> 123 log
> access-list 105 permit icmp host 55.5.0.1 host 55.5.22.22 echo
> access-list 105 permit icmp host 55.5.0.1 host 55.5.22.22 echo-reply
> access-list 105 permit icmp host 131.119.245.4 host 55.5.22.22 echo log
> access-list 105 permit icmp host 131.119.245.4 host 55.5.22.22
> echo-reply log
> access-list 105 deny udp any any log
> access-list 105 permit tcp any host 55.5.22.22 eq 80 log
> access-list 105 permit tcp any host 55.5.22.22 eq 21 log
> access-list 105 permit tcp any host 55.5.22.22 gt 1023 log
> access-list 105 deny ip any any log
>
>
>
> ======================
> I let through:
>
> Web 80
> FTP 21, >1023
> Time server
> Dhcp server
> SNMP remote informs
> DNS
>
> >CCO Tech Notes on DHCP Protocols:
>
> Trivial File Transfer Protocol (TFTP) (port 69)
> DNS (port 53), time service (port 37)
> NetBIOS name server (port 137)
> NetBIOS datagram server (port 138)
> Boot Protocol (DHCP/BootP) client and server datagrams (ports 67 and 68)
>
> Terminal Access Control Access Control System (TACACS) service (port 49)
>
> IEN-116 name service (port 42)
> =======================
>
>
> KPalmer
> Janitor
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:30 GMT-3