lumm@vax1.cc.lehigh.edu (03/08/91)
Hello, We will shortly be installing a cisco IGS as a campus firewall router. I'm currently trying to come up an access list of things to allow and deny using bits and pieces from this list and other places. I would like suggestions on what to filter or not to filter onto our campus network. I've enclosed what I've got so far below. Basically we are filtering all external access from certain subnets and 2 terminal servers, while only certain ports to the rest of the network. Comments on it and other examples are welcomed! thanks, mark ---------- ! ! Deny all traffic from 128.180.12 subnet (m180 user's area) ! access-list 100 deny ip 128.180.12.0 0.0.0.255 0.0.0.0 255.255.255.255 ! ! Deny all traffic from 128.180.16 subnet (RBC) ! access-list 100 deny ip 128.180.16.0 0.0.0.255 0.0.0.0 255.255.255.255 ! ! Deny all traffic from dial-up terminal servers ! access-list 100 deny ip 128.180.2.12 0.0.0.0 0.0.0.0 255.255.255.255 access-list 100 deny ip 128.180.2.20 0.0.0.0 0.0.0.0 255.255.255.255 ! ! Deny incoming/outgoing print requests ! access-list 100 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 35 access-list 100 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 515 ! ! Deny incoming/outgoing NFS requests ! access-list 100 deny udp 0.0.0.0 255.255.255.255 128.180.0.0 0.0.255.255 eq 2049 access-list 100 deny tcp 0.0.0.0 255.255.255.255 128.180.0.0 0.0.255.255 eq 111 ! ! Permit incoming UDP packets to the domain port ! access-list 100 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53 ! ! Deny other incoming UDP packets with low port numbers ! access-list 100 deny udp 0.0.0.0 255.255.255.255 128.180.0.0 0.0.255.255 lt 1024 ! ! Permit anything else... ! access-list 100 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 -- ----------------------------------------------------------------------------- Mark Miller Network Analyst lumm@spot.CC.Lehigh.EDU Lehigh University Computing Center LUMM@VAX1.CC.Lehigh.EDU Bethlehem, PA 18015 LUMM@LEHIIBM1 (Bitnet) -----------------------------------------------------------------------------