[nsp] RE: UDP broadcast filters.

From: Ted Mittelstaedt (tedm@portsoft.com)
Date: Mon Mar 16 1998 - 14:40:36 EST

1) Telnet into the router
2) issue an "enable" command
3) issue a "config" command
4) Create an "ip access group" that lists all your rulesets. What I do is to build one in Notepad, then cut and paste from there to the telnet window. Here's a snippet of mine, is the interior firewall. Note that this can be built to either be applied to incoming or outgoing packets, and can be applied to either the serial interface or the ethernet interface. You have to re-write the list if you change how it's applied, the following is applied to incoming packets to the serial interface:

access-list 101 permit tcp any any established
access-list 101 deny ip
access-list 101 permit icmp any any

access-list 101 permit tcp any any eq hostname

access-list 101 permit tcp any host eq smtp
access-list 101 permit tcp any host eq pop3
access-list 101 permit tcp any host eq domain
access-list 101 permit udp any host eq domain
access-list 101 permit udp any host eq nameserver
access-list 101 permit tcp any host eq ftp
access-list 101 permit tcp any host eq ftp-data
access-list 101 permit tcp any any gt 1023
access-list 101 permit udp any any gt 1023

Depending on how nasty that your users are you may want to block some of their outgoing traffic. Common blocks are on SMTP - which forces all outbound SMTP to spool through your mailserver and greatly discourages spammers from using your dialup accounts. Another popular one is a block on TCP traffic on Real Audio, to force people to use UDP as a transport. This requires a second access list.

5) Cntl-Z then do a sh running-config to make sure that the access list is properly built
6) Go back into config, then apply the list to the desired interface - in my case the command is "config, in s0.1, ip access-group 101 in, exit, exit"
7) Sit back and wait for your users to scream because something you are inadvertently blocking is something that they were using. ;-) Repeat steps 1-6 until satisfied.


PS: While this firewall is going to be better than nothing (you need to substitute the appropriate IP numbers for your network, of course) you really need to learn a lot about the basic protocol of TCP/IP and it's implementation to write a good one as well as know exactly what all your external hosts are doing. There is always trial and error in this business, you start with the most restrictive access list possible, then gradually add openings to it as users complain.

From: jlixfeld@idirect.ca[SMTP:jlixfeld@idirect.ca]
Sent: Monday, March 16, 1998 1:40 AM
To: Cisco-NSP; Cisco at Colorado
Subject: UDP broadcast filters.

I've kept hearing about a UDP smurf floating around and I'd like to put up
a firewall to prevent it. Can anyone give me any insight on how this is
done? I don't understand enough about UDP, broadcasts or enough about
access-lists to create an effective one. Can anyone give me some


Jason A. Lixfeld jlixfeld@idirect.ca System Administrator [L5] jlixfeld@torontointernetxchange.net

--------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 ext 18 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:15 EDT