access-list to stop access to port 3128

bbloise · ‎10-11-2002

I am trying to stop users from outside our network from using our cacheraq. We have a Sun Cobalt CacheRaq4 running and it doesn't allow changing the config files to stop other networks from coming in.

I have the following access-list and would like to know if this is really going to block anyone outside of our network from using the cacheraq server.

The IP address of the cacheraq4 is 208.150.80.200 and I am using port 3128. What is happening is that someone is using the server to relay email. We need to stop them from doing that as well as others using the proxy.

Thanks in advance for the information.

access-list 110 deny ip 208.150.80.0 0.0.0.255 any

access-list 110 deny ip 208.150.72.0 0.0.0.255 any

access-list 110 deny ip 208.150.73.0 0.0.0.255 any

access-list 110 deny ip 208.150.74.0 0.0.0.255 any

access-list 110 deny ip 208.150.75.0 0.0.0.255 any

access-list 110 deny ip 208.150.76.0 0.0.0.255 any

access-list 110 deny ip 208.150.77.0 0.0.0.255 any

access-list 110 deny ip 208.150.82.0 0.0.0.255 any

access-list 110 deny ip 208.150.83.0 0.0.0.255 any

access-list 110 deny ip 208.150.84.0 0.0.0.255 any

access-list 110 deny ip 208.150.85.0 0.0.0.255 any

access-list 110 deny ip 208.150.86.0 0.0.0.255 any

access-list 110 deny ip 208.150.87.0 0.0.0.255 any

access-list 110 deny tcp any eq 3128 any

access-list 110 deny udp any eq 3128 any

access-list 110 permit ip any any

access-list 110 permit tcp any any

Bob Bloise

steve.barlow · ‎10-11-2002

I assume this acl is applied inbound on the external/outside interface. If the source port (udp and tcp) is 3128 it is good. If the ports are the destination ports it won't work - use "access-list 110 deny tcp any any eq 3128". I would suspect it should be the destination ports.

The line "access-list 110 permit ip any any" makes the last line obsolete and you should remove the last line.

Steve

bbloise · ‎10-12-2002

Steve,

Thank you very much! That did it....

Bob Bloise