Incoming Cisco WAN i/f ACL: example of: allow all, deny a few. The incoming Internet facing i/f acl is structured to deny a certain set of bad things, else allow everything else. Assume a classic class B address (e.g., 179.1.0.0), with a subnet mask 255.255.255.0. WARNING: this is meant to be illustrative and should not be taken to be useful in the real world without reexamination of what new bugs might exist. note: this can be improved substantially by denying all < 1024 ports except for certain "ok" ports, but then it isn't so much deny bad/allow rest ---------------------------------------------------------- ! some paranoid NOs. these are here to squash certain types ! of spoofing behavior fast ! ! deny external spoofing access-list 122 deny ip 0.0.255.255 any ! ! deny spoofing from "reserved" addresses access-list 122 deny ip 10.0.0.0 0.255.255.255 any access-list 122 deny ip 127.0.0.0 0.255.255.255 any access-list 122 deny ip 172.16.0.0 0.15.255.255 any access-list 122 deny ip 192.168.0.0 0.0.255.255 any access-list 122 deny ip host 0.0.0.0 any access-list 122 deny ip host 255.255.255.255 any ! just say no to ICMP denial of service attacks ! assumption here is that we are class B/24. ! note we squash attacks via 0's as well. ! access-list 122 deny icmp any 0.0.0.255 255.255.255.0 access-list 122 deny icmp any 0.0.0.0 255.255.255.0 ! just say no to all unauthorized tunnels access-list 122 deny ipinip any any access-list 122 deny gre any any ! known bad things to stomp on ! nfs access-list 122 deny tcp any any eq 2049 access-list 122 deny udp any any eq 2049 ! tftp access-list 122 deny udp any any eq tftp access-list 122 deny tcp any any eq tftp ! ttyline access-list 122 deny tcp any any eq 87 access-list 122 deny udp any any eq 87 ! rsh (512) access-list 122 deny tcp any any eq exec ! rlogin access-list 122 deny tcp any any eq 513 ! rcmd access-list 122 deny tcp any any eq cmd ! example hole in access list (bad ...) ! access-list 122 permit tcp host host eq lpd ! lpd access-list 122 deny tcp any any eq lpd access-list 122 deny udp any any eq lpd ! X11 access-list 122 deny tcp any any eq 6000 access-list 122 deny tcp any any eq 6001 access-list 122 deny tcp any any eq 6002 ! snmp access-list 122 deny tcp any any eq 161 access-list 122 deny udp any any eq 161 access-list 122 deny tcp any any eq 162 access-list 122 deny udp any any eq 162 ! syslog access-list 122 deny udp any any eq syslog ! sunrpc/rpcbind (NIS portmapper) (this may not be enough) access-list 122 deny tcp any any eq sunrpc access-list 122 deny udp any any eq sunrpc ! 137-139 netbios (thank you microsoft) access-list 122 deny tcp any any eq 137 access-list 122 deny tcp any any eq 138 access-list 122 deny tcp any any eq 139 access-list 122 deny udp any any eq 137 access-list 122 deny udp any any eq 138 access-list 122 deny udp any any eq 139 ! echo access-list 122 deny tcp any any eq echo access-list 122 deny udp any any eq echo ! discard access-list 122 deny tcp any any eq discard access-list 122 deny udp any any eq discard ! chargen access-list 122 deny tcp any any eq chargen access-list 122 deny udp any any eq 19 ! nameserver access-list 122 deny tcp any any eq 42 access-list 122 deny udp any any eq nameserver ! else accept access-list 122 permit ip any any