Re: ACLs on multilink ppp interfaces

georgeburtz · ‎06-24-2005

I have 3 circuits coming in to 3 WICs. These 3 circuits are in a multilink ppp group assigned to an mlppp interface. I have an inbound acl on the 3 individual serial interfaces as well as the mlppp interface. The problem is that the acl does not seem to be functioning - some nmap probes are getting past the acl. Should the acl be applied to all the interfaces or just the multilink or just the serials? This is driving me nuts. Any help would be appreciated.

Thanks...

Richard Burts · ‎06-24-2005

I am assuming that you have configured an IP address on the multilink interface and no IP addresses on the individual serial interfaces. In which case it is logical that you need the ACL on the multilink interface and not on the serial interfaces.

If some packets are not being caught by the ACL (and if the ACL is properly applied to the correct interface) then you probably should look into the logical construction of the ACL and see where it misses something.

Are you sure that the nmap probes are arriving on the serial/multilink interface?

HTH

Rick

HTH

Rick

georgeburtz · ‎06-24-2005

Correct - the ml interface is addressed but not the individual serials. When I do a tracert it does hit the ml ip address as last hop.

The ACL looks OK to me. Here is the relevant part:

remark filter special addr (RFC 3330)

deny ip 127.0.0.0 0.255.255.255 any

deny ip 192.0.2.0 0.0.255.255 any

deny ip 224.0.0.0 31.255.255.255 any

deny ip host 255.255.255.255 any

deny ip host 0.0.0.0 any

remark filter private addr space (RFC 1918)

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

remark filter public range as source

deny ip xx.152.112.0 255.255.240.0 any

remark permit ping to serial int

permit icmp any host xx.172.74.14 echo

permit icmp any host xx.81.185.154 echo

remark allow bgp routes

permit tcp host xx.172.74.13 eq bgp host xx.172.74.14

permit tcp host xx.81.185.153 eq bgp host xx.81.185.154

remark filter all ip traffic to interfaces

deny ip any host xx.172.74.14 log

deny ip any host xx.81.185.154 log

deny ip any host xx.130.200.1 log

deny ip any host xx.130.200.3 log

deny ip any host xx.130.200.4 log

deny ip any host xx.152.112.4 log

deny ip any host xx.152.112.5 log

deny ip any host xx.152.112.6 log

remark filter problem services

deny tcp any any eq 1434 log

deny udp any any eq 1434 log

deny tcp any any eq irc log

deny udp any any eq 194 log

deny tcp any any eq 1214 log

deny udp any any eq 1214 log

deny tcp any any eq 369 log

deny udp any any eq 369 log

deny tcp any any eq 530 log

deny udp any any eq 530 log

deny tcp any any range 137 139 log

deny udp any any range netbios-ns netbios-ss log

deny tcp any any eq 445 log

deny udp any any eq 445 log

remark allow anything not already denied

permit ip any any

the part that seems to be hosed is the section "filter all ip traffic to interfaces"

Thanks

Richard Burts · ‎06-24-2005

I have looked through the ACL and do not see any particular problems. Knowing whether it is really doing the right things requires knowledge of the particular situation which only you have. In particular I did look at the section filter all ip traffic to interfaces. It lists 8 specific hosts to which all traffic will be denied. In what way do you feel that this might be hosed up?

Your original question mentioned some concern that nmap probes were getting through. There is not anything particular in this ACL to deal with nmap probes and indeed an ACL is not a very efffective way to deal with nmap probes. Is there anything else to believe that that the ACL is not accomplishing what it should?

HTH

Rick

HTH

Rick

georgeburtz · ‎06-24-2005

The 8 specific hosts are the ethernet interfaces of the router, none of which should be reachable from the internet. Somehow the udp and tcp scans are getting past that portion of the ACL.

Basically I am trying to minimize my exposure on the internet to the bare minimum needed for operation.