[nsp] Access-lists to block ftp and web

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Thu Jan 15 14:33:22 EST 2004 

hopefully, this is just a question re: ftp and www as this acl will subject
you
just any kind of scan/probes possible.

dont forget your spoofing and bogon stuff...

access-list 110 remark acl outbound from interface
!
access-list 110 deny tcp any any eq 443 ! secure http
access-list 110 deny tcp any any range 20 21! ftp data and control channels
access-list 110 deny tcp any any eq 115 ! secure ftp 
access-list 110 deny tcp any any eq 8080 ! www admin
access-list 110 permit ip any any ! this seems realy dangerous but this is
what you asked
!
access-list 100 remark acl inbound to interface 
!
access-list 100 deny tcp any eq 80 any ! secure http
access-list 100 deny tcp any eq 443 any ! secure http
access-list 100 deny tcp any range 20 21 any ! ftp
access-list 100 permit ip any any ! this will catch all the other tcp, icmp
and udp stuff
access-list 100 deny any log 	! stated so one can log otherwise you dont
need to put it here

del.

-----Original Message-----
From: Sam Stickland [mailto:sam_ml at spacething.org]
Sent: Thursday, January 15, 2004 7:35 AM
To: elatour at cimex.com.cu; cisco-nsp at puck.nether.net
Subject: Re: [nsp] Access-lists to block ftp and web


To block incoming www you need:

access-list 110 deny   tcp any any eq www

What you have will block outgoing www.

Sam

----- Original Message -----
From: <elatour at cimex.com.cu>
To: <cisco-nsp at puck.nether.net>
Sent: Thursday, January 15, 2004 3:04 PM
Subject: [nsp] Access-lists to block ftp and web


How I make an access-list than blocks web and ftp ports and permit other
traffic?

I write:

access-list 110 deny   tcp any eq www any
access-list 110 deny   tcp any any eq www
access-list 110 deny   tcp any eq 8080 any
access-list 110 deny   tcp any any eq 8080
access-list 110 deny   tcp any eq ftp any
access-list 110 deny   tcp any any eq ftp
access-list 110 permit icmp any any
access-list 110 permit udp any any
access-list 110 permit tcp any any

but all pass...

and reverse:

access-list 110 permit icmp any any
access-list 110 permit udp any any
access-list 110 permit tcp any any
access-list 110 deny   tcp any eq www any
access-list 110 deny   tcp any any eq www
access-list 110 deny   tcp any eq 8080 any
access-list 110 deny   tcp any any eq 8080
access-list 110 deny   tcp any eq ftp any
access-list 110 deny   tcp any any eq ftp

idem.

TIA,
Eugenio.









----------------------------------------------------------------------------
----


> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list