Re: [nsp] Cisco Recommended Filters

From: Jim Warner (warner@cats.ucsc.edu)
Date: Sat Jan 03 1998 - 13:00:56 EST


tom@iconnections.net asked for examples of ingress filters. Below I've
pasted the 'show access-list' display from the University's filter, adding
line numbers on the left. Comments welcome.

Two points often get missed in this discussion:

  1. "no ip directed-broadcast" must be set on all interfaces on
      all routers to be effective. Doing this only on the edge
      or ingress router doesn't work. If you can't do this everywhere,
      use filtering instead.
  2. On ciscos, it is necessary to block both the zero-filled and
      ones-filled form of the directed broadcast address (lines 4
      AND 5 below).

Extended IP access list 101
 1 permit tcp any any established (761043 matches)
 2 permit udp any any eq domain (617933 matches)
 3 permit ip host 128.114.xxx.yyy any (10569 matches)
 4 deny ip any 128.114.0.255 0.0.255.0 log (6 matches)
 5 deny ip any 128.114.0.0 0.0.255.0 log (29372 matches)
 6 permit icmp any any (127580 matches)
 7 deny ip 128.114.0.0 0.0.255.255 any (3 matches)
 8 deny ip 169.233.0.0 0.0.255.255 any
 9 deny ip 10.0.0.0 0.255.255.255 any (25 matches)
10 deny ip 127.0.0.0 0.255.255.255 any (33 matches)
11 deny ip 172.16.0.0 0.0.255.255 any
12 deny ip 192.168.0.0 0.0.255.255 any (37 matches)
13 deny tcp any 169.233.0.0 0.0.255.255 eq smtp (192 matches)
14 deny ip any host 128.114.xxx.xxx
15 deny ip any host 128.114.xxx.yyy
16 deny ip any host 128.114.xxx.www
17 deny ip any host 128.114.www.zzz
18 deny udp any any eq sunrpc (56 matches)
19 deny udp any any eq 2049 (136 matches)
20 deny tcp any any eq sunrpc (10 matches)
21 deny tcp any any eq 2049 (8 matches)
22 deny udp any any eq snmp (757 matches)
23 permit ip any any (848648 matches)

line 1 -- efficiency trick. An "established" connection must have
          passed all tests when it was initiated.
line 2 -- short path for domain name service.
line 3 -- Exception to policy for a monitoring computer outside the
          barrier. xxx.yyy is not a wild card. It's a specific
          address whose value you don't need to know.
line 4,5 Since I know the netmask on my subnets, these lines
          block smurf bouncing. Among other things, protects the
          campus against land.c attacks.
line 7,8 Addresses 128.114.0.0/16 and 169.233.0.0/16 are inside
          the barrier. This blocks spoofers from outside masquerading
          as local hosts.
10,11,12 Private address space may not appear as source addresses
line 13 Guys on this net MUST use the official campus mail server
14-17 Four specific computers not permitted to talk to the
          outside world.
18-21 Campus NFS servers are off-limits to the outside world.
22 The network management port is blocked
23 Permit the rest ...

Not shown here, we have "no ip directed-broadcasts" set on all
interfaces connecting to the 169.233.x.x net. We use ingress
filtering instead on our other net because directed broadcasts
are used internally.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:14 EDT