星期二, 三月 13, 2007

Cisco ACL Template - Border Ro

Following is a basic access control list (using Cisco ACL syntax) template for use on a border router that is positioned between your local site and the Internet. I recommend you implement an ACL of this type to filter all inbound traffic from the Internet. Please be sure to review RFC1918, RFC2196, RFC2827, and RFC3013 when planning your network security policies. A current list of the bogons is maintained by Rob Thomas who also maintains a full IOS template here.

remark *** bogons (bogus outside networks)
deny ip 0.0.0.0 1.255.255.255 any log-input
deny ip 2.0.0.0 0.255.255.255 any log-input
deny ip 5.0.0.0 0.255.255.255 any log-input
deny ip 7.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 23.0.0.0 0.255.255.255 any log-input
deny ip 27.0.0.0 0.255.255.255 any log-input
deny ip 31.0.0.0 0.255.255.255 any log-input
deny ip 36.0.0.0 1.255.255.255 any log-input
deny ip 39.0.0.0 0.255.255.255 any log-input
deny ip 41.0.0.0 0.255.255.255 any log-input
deny ip 42.0.0.0 0.255.255.255 any log-input
deny ip 49.0.0.0 0.255.255.255 any log-input
deny ip 50.0.0.0 0.255.255.255 any log-input
deny ip 58.0.0.0 1.255.255.255 any log-input
deny ip 60.0.0.0 0.255.255.255 any log-input
deny ip 70.0.0.0 1.255.255.255 any log-input
deny ip 72.0.0.0 7.255.255.255 any log-input
deny ip 82.0.0.0 1.255.255.255 any log-input
deny ip 84.0.0.0 3.255.255.255 any log-input
deny ip 88.0.0.0 7.255.255.255 any log-input
deny ip 96.0.0.0 31.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.0.2.0 0.0.0.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 197.0.0.0 0.255.255.255 any log-input
deny ip 198.18.0.0 0.1.255.255 any log-input
deny ip 201.0.0.0 0.255.255.255 any log-input
deny ip 222.0.0.0 1.255.255.255 any log-input
deny ip 224.0.0.0 31.255.255.255 any log-input
remark *** protocols
remark *** legacy small services no longer used
deny tcp any any range 0 19 log-input
deny udp any any range 0 19 log-input
remark *** snmp
deny tcp any any range 161 162 log-input
deny udp any any range 161 162 log-input
deny tcp any any eq 199 log-input
deny udp any any eq 199 log-input
deny tcp any any eq 391 log-input
deny udp any any eq 391 log-input
deny tcp any any eq 705 log-input
deny udp any any eq 705 log-input
deny tcp any any eq 1993 log-input
deny udp any any eq 1993 log-input
remark *** lan-only dhcp and tftp
deny udp any any range 67 69 log-input
deny tcp any any range 67 69 log-input
remark *** microsoft netbios
deny tcp any any range 135 139 log-input
deny udp any any range 135 139 log-input
deny tcp any any eq 445 log-input
deny udp any any eq 445 log-input
remark *** unix rpc
deny tcp any any eq 111 log-input
deny udp any any eq 111 log-input
remark *** lan-only unix services
deny tcp any any range 511 515 log-input
deny udp any any range 511 515 log-input
remark *** ircd
deny tcp any any eq 6667 log-input
deny udp any any eq 6667 log-input
remark *** icmp fragments
deny icmp any any fragments log-input
remark *** inbound ping
permit icmp any any echo
remark *** inbound ping response
permit icmp any any echo-reply
remark *** path MTU to function
permit icmp any any packet-too-big
remark *** flow control
permit icmp any any source-quench
remark *** time exceeded messages for traceroute and loops
permit icmp any any time-exceeded
remark *** block all other ICMP packets
deny icmp any any log-input
remark *** permit everything else
permit ip any any
发帖者 时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)