07-18-2002 03:03 AM - edited 03-08-2019 11:36 PM
Some sample access-lists that I have seen show an output like the one below. My question .is it necessary to have the deny for tcp and udp specific port numbers? It is my understanding that the implicit deny at the end will block these. The specific ports I speak about are known ports which have been used for various attacks on networks.
Deny rfc 1918 addresses log
Deny resevered/multicast/broadcast addresses log
Permit tcp any to trusted LAN if established
Permit tcp any eq 20 to trusted LAN if greater than 1023 log
Deny tcp any any eq port # log
Deny tcp any any range of port # log
Deny udp any any eq port # log
Deny udp any any range of port # log
Permit udp any eq 53 to trusted LAN if greater than 1023 log
Deny tcp any range 0 65535 any range 0 65535 log
Deny udp any range 0 65535 any range 0 65535 log
Deny ip any any log
Will this config achieve the same secure results??
Deny rfc 1918 addresses log
Deny resevered/multicast/broadcast addresses log
Permit tcp any to trusted LAN if established log
Permit tcp any eq 20 to trusted LAN if greater than 1023 log
Permit udp any eq 53 to trusted LAN if greater than 1023 log
Deny tcp any range 0 65535 any range 0 65535 log
Deny udp any range 0 65535 any range 0 65535 log
Deny ip any any log
07-18-2002 03:20 PM
You are correct, there is always an explicit deny on the end. Whatever has not been listed on the permit is denied.
The samples you see is more for illustration.
Regards,
07-19-2002 01:48 AM
Thank you for confirming my understanding on this. With some of these configs it did appear pointless to deny specific ports and yet have the 'catch all' deny at the end. O.k. there may be a situation where you need specific denies, but generally speaking it appears to me that if you intend to 'deny most', then an access-list should consist of permits for your actual requirements and let everything else be caught by the deny rule.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide