01-09-2002 05:25 PM - edited 03-01-2019 07:58 PM
I have just been given the go ahead to block all ports on our internet router except for the well known ports. Anyone know the best way to accomplish this? Would an extended access list be the best way?
01-11-2002 02:16 PM
Yes, an extended access-list would be the best way to do it. A couple of design suggestions:
1) To minimize impact on the performance of the router, do it all in one access-list. The performance hit you'd take killing outbound request packets isn't worth the price you'd pay in a second instance of access-list processing.
2) You don't care what the users ask for, you care what COMES IN. (Let some other network admin with a bigger router filter out what he doesn't want!)
3) DEBUG IP PACKET DETAIL is your friend in fine-tuning this access-list.
4) The "deny any any" (implicit deny) is already at the end of the access-list. Leaving it off shows that you're well-informed enough to know you don't need it.
A nice sample baseline of what you're looking for might be:
access-list 101 permit tcp any gt 1 any eq 80 <-- WWW
access-list 101 permit tcp any gt 1 any eq 21 <-- FTP
access-list 101 permit tcp any gt 1 any eq 25 <-- SMTP
access-list 101 permit tcp any gt 1 any eq 110 <-- POP3
access-list 101 permit udp any gt 1 any eq 53 <-- DNS replies
access-list 101 permit icmp any any eq echo-reply <-- Ping responses
access-list 101 permit icmp any any eq time-exceeded <-- Traceroute responses
interface WAN 0
ip address x.x.x.x y.y.y.y
ip access-group 101 in
Again, use DEBUG IP PACKET DETAIL to see what traffic you need is being "access denied" and change my sample as your needs dictate.
01-17-2002 11:41 PM
hi,
regarding this conversation .I was always rather in a fix on whats better applying a outbound access-list or an inbound access-list.The think that troubled me with inbound access-list was the BW usage limitation.Since im from an ISP for me wasting the costly BW is an issue ,i mean letting the pakcets utilize the BW from the uplink provider to me and then ultimately dropping them.
What has more load on the router inbound and outbound?and once more which is better?
Regards
01-18-2002 04:52 AM
Right now at the present, we have 2 T-1's coming in, but they are very under utilized. For now, I put the list on the inbound side, but I am also working up a cbac to deploy out there, and once I get that in place, along with an outbound access list I think that it should take care of the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide