We use the following to block incoming winnukes, tftp, imap, bootp, nfs,
xwindows, chargen, echo, etc. We have others in this access list but due
to security concerns we wont post them here (and to save bandwidth)
access-list 111 deny udp any any eq 67
access-list 111 deny udp any any eq 68
access-list 111 deny tcp any any eq 135
access-list 111 deny tcp any any eq 137
access-list 111 deny tcp any any eq 139
access-list 111 deny udp any any eq 135
access-list 111 deny udp any any eq netbios-ns
access-list 111 deny udp any any eq 139
access-list 111 deny udp any any eq tftp
access-list 111 deny tcp any any eq 143
access-list 111 deny tcp any any eq 220
access-list 111 deny tcp any any eq echo
access-list 111 deny udp any any eq echo
access-list 111 deny tcp any any eq discard
access-list 111 deny udp any any eq discard
access-list 111 deny tcp any any eq chargen
access-list 111 deny udp any any eq 19
access-list 111 deny tcp any any eq 2049
access-list 111 deny udp any any eq 2049
access-list 111 deny tcp any any eq 6000
access-list 111 deny tcp any any eq 6001
access-list 111 deny tcp any any eq 6002
access-list 111 deny tcp any any eq 6003
access-list 111 permit ip any any
The we apply:
ip access-group 111 out
to the ethernet port on the router.
-- Tom Mullaney <tpm@jovian.net> Jovian Networks, LLC nic: TM6112 Townsend, MA 01469-1182 icq: 17378679 (888) 568-4261 aim: tpmullaney http://www.jovian.net -- Unix, networking, administration, consulting, programming, Internet servicesOn Sat, 5 Sep 1998, RTS wrote:
> Date: Sat, 05 Sep 1998 20:17:28 -0500 > From: RTS <rts@rdr.net> > Reply-To: cisco-nsp@qual.net > To: cisco-nsp@qual.net > Subject: [nsp] WinNukes > > Yea.... we all hate them (WinNukes) > > > In a CISCO Router what is the easiest way to prevent them from hitting the > computers on a network?? > > Randy > rts@rdr.net > > >
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:18 EDT