07-10-2001 12:37 AM - edited 02-20-2020 09:15 PM
As our 7206 has multiple sub-interfaces for our Internet clients, I'm looking at a generic ACL I can apply to each one to deny things like netbios traffic, telnet access etc, but still allowing them full internet access...eg.
(Just logging all for debugging purposes)
access-list 132 deny udp any eq netbios-dgm any log-input
access-list 132 deny udp any eq netbios-ns any log-input
access-list 132 deny udp any eq netbios-ss any log-input
access-list 132 deny tcp any eq 137 any log-input
access-list 132 deny tcp any eq 138 any log-input
access-list 132 deny tcp any eq 139 any log-input
access-list 132 deny tcp any eq 23 any log-input
access-list 132 permit ip any any
But I can't see a way to have a default deny policy, without killing there Interenet connection..
Any suggestions/Comments are greatly appreciated.
Regards,
MB
07-18-2001 12:57 PM
That acl shouldnt kill their internet access. I dont see the problem.
07-24-2001 12:41 AM
You seem to be filtering on source ports in your ACL - this isn't a good idea since most protocols use
random high ports as the source port. A better strategy would be to filter on the destination port
which is (usually!) more predictable.
Two additional suggestions
If you're going after command line tools, be aware that you may want to consider
filtering SSH and the BSD r* commands as well. It depends on why you want
to filter Telnet.
Also, Windows 2000 also uses TCP 445 as a replacement for the famous 137, 138 (UDP) 139 (TCP) - instead of doing NBT as Windows NT 4 does, Windows 2000 allows you to run SMB directly over TCP, getting rid of the NBT middleman. Consider filtering that as well if you've got
Win2k clients.
-Rakesh
07-24-2001 02:54 AM
How do I stop (Windows 2000 allows you to run SMB directly over TCP) from happing do I need to block port 445 ? or is there any other way they can communicate even after blocking port 445 .
thanks in advance
jith
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide