Description
This article is from the Firewalls
FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum
mjr@nfr.com with numerous contributions by others.
26 Implementation (filtering rules for a Cisco)
* Allow all outgoing TCP-connections
* Allow incoming SMTP and DNS to mailhost
* Allow incoming FTP data connections to high TCP port (>1024)
* Try to protect services that live on high port numbers
Only incoming packets from Internet are checked in this configuration. Rules
are tested in order and stop when the first match is found. There is an
implicit deny rule at the end of an access list that denies everything. This
IP access list assumes that you are running Cisco IOS v. 10.3 or later.
no ip source-route
!
interface ethernet 0
ip address 195.55.55.1
no ip directed-broadcast
!
interface serial 0
no ip directed-broadcast
ip access-group 101 in
!
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any 0.0.0.255 255.255.255.0
access-list 101 deny ip any 0.0.0.0 255.255.255.0
!
access-list 101 deny ip 195.55.55.0 0.0.0.255
access-list 101 permit tcp any any established
!
access-list 101 permit tcp any host 195.55.55.10 eq smtp
access-list 101 permit tcp any host 195.55.55.10 eq dns
access-list 101 permit udp any host 192.55.55.10 eq dns
!
access-list 101 deny tcp any any range 6000 6003
access-list 101 deny tcp any any range 2000 2003
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
!
access-list 101 permit tcp any 20 any gt 1024
!
access-list 101 permit icmp any any
!
snmp-server community FOOBAR RO 2
line vty 0 4
access-class 2 in
access-list 2 permit 195.55.55.0 0.0.0.255
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, Internet, firewalls, ssl, port, protection, application layer, proxy server, packet screening, filtering rules, viruses, terms
