Re: (ASCEND) Generic filter for NON-ASCEND equipment:

To: Shaun Ledford <shaun@ms.com>
Subject: Re: (ASCEND) Generic filter for NON-ASCEND equipment:
From: "Leland E. Vandervort" <lelandv@innotts.co.uk>
Date: Thu, 25 Jun 1998 07:25:46 +0100
Cc: ascend-users@bungi.com
Reply-To: lelandv@innotts.co.uk
Sender: owner-ascend-users@max.bungi.com

On Wed, 24 Jun 1998, Shaun Ledford murmured something resembling:
>>Hello All:
>
>Using AAC for my MAX 4000 and some CISCO products.
>
>Is there an generic equivalent to the following that will work on a
>Ascend and a NON
>Ascend NAS?
>----------------------------------------
>Ascend-Data-Filter = "ip out drop tcp dstport = 8080",
>Ascend-Data-Filter = "ip out drop tcp dstport = 80",
>Ascend-Data-Filter = "generic in forward 0 0 0",
>Ascend-Data-Filter = "generic out forward 0 0 0"
>----------------------------------------
>
>BTW - TCP port 80 and 8080 are used for Web proxy.

I am unaware of a "generic" which will work on both platforms because of the way
that each handles packet filtering.  I am presuming that you are trying to add
this filter to prevent dialup users from running their own web / proxy servers?

If this is the case, I use a simple filter set on our core router (a cisco)..
We prevent dialup users from giving outside access to "common server" protocols
from their dialup sessions.  This also helps elleviate the potential problems of
insecure "WinGates".

- presuming your ip block is 1.2.3.0/24 -

access-list 101 deny tcp any 1.2.3.0 0.0.0.255 eq 21 log
access-list 101 deny tcp any 1.2.3.0 0.0.0.255 eq 23 log
access-list 101 deny tcp any 1.2.3.0 0.0.0.255 eq 25 log
access-list 101 deny tcp any 1.2.3.0 0.0.0.255 eq 53 log
access-list 101 deny udp any 1.2.3.0 0.0.0.255 eq 53 log
access-list 101 deny tcp any 1.2.3.0 0.0.0.255 eq 80 log
access-list 101 deny tcp any 1.2.3.0 0.0.0.255 eq 1080 log
access-list 101 deny tcp any 1.2.3.0 0.0.0.255 eq 8080 log
access-list 101 permit tcp any 1.2.3.0 0.0.0.255 established
access-list 101 permit ip any any

; 21, 23, 25 are pretty obvious
; 53 == nameserver - useful if you happen to have
; 'lamers' who try to do dns spoofing by exploiting 
; bind cache bugs..
; 1080 - known listening port for wingate
; 80 / 8080 - web, of course.
; established will permit connections on any of these
; ports provided the it was an outgoing connection
; and the client-side listening socket happens to coincide
; with one of these ports.

It obviously doesn't stop all potential servers, and only blocks 
access to them if the path is via the core router (in other words being
accessed from someone outside our network)

If I misunderstood exactly what you were trying to do here, then forgive 
the off-topic reply.

Regards,

--
Leland E. Vandervort                       | Network Engineer
leland@discpro.org / leland@innotts.com    | internet in nottingham, ltd
http://www.discpro.org/~leland/            | http://www.innotts.co.uk/
Undernet NA Routing-Com Secretary          | +44 (0)115 956-2288
------------------------------------------------------------------------
      UK KDE Web Site Mirror Maintainer:  http://kde.innotts.com/
        IRC Operator: (Undernet)  Baltimore, London, Ann-Arbor
IRC Operator/Admin/Services Coder: (KidsWorld) Notts.UK.EU.KidsWorld.Org
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: (ASCEND) Suppressing ICMP errors
Next by Date: Re: (ASCEND) Radius & NIS+
Prev by thread: (ASCEND) Generic filter for NON-ASCEND equipment:
Next by thread: (ASCEND) MWAVE:
Index(es):
- Main
- Thread