It seems like on Tue, Jul 25, 2000 at 11:15:29AM -0700, Mike Starke scribbled: Orig Msg> I too would be interested if you wouldn't mind Orig Msg> passing along the info. Orig Msg> Orig Msg> On Tue, Jul 25, 2000 at 10:49:17AM -0700, Joel Dudley wrote: Orig Msg> This is exactly what I was looking for! Thanks a ton. I thank you for your Orig Msg> generosity. I wish there were a way for me to return the favor. Orig Msg> Orig Msg> - Joel Standard Fee: 1 - suckling pig 1 - yearling goat Perform standard RFC compliant ritual sacrifice as needed until I am pleased :) NOTE: No burnt offerings as I am trying to quit smoking. ============================================== Sample Cisco ACL to block an incoming port ============================================== Here's an extended access list you would use to block netblocks from reaching your Windows Boxen. I'm choosing to use an access-list id of 130 just for example. --- go into config mode Router#config term --- clear the access list if it existed Router(config)#no access-list 130 --- allow established connections (this is generally a good idea) Router(config)#access-list 130 permit tcp any any established --- allow connections from trusted networks to anywhere (class-C) Router(config)#access-list 130 permit tcp 204.99.99.0 0.0.0.255 any --- ... and a class-B - notice access-lists use wildcard masks - the --- exact opposite of netmasks. Router(config)#access-list 130 permit tcp 149.11.0.0 0.0.255.255 any --- start denying evil connections (153.34.0.0-153.35.255.255) Router(config)#access-list 130 deny tcp 153.34.0.0 0.1.255.255 any eq 139 --- (153.36.0.0-153.37.255.255) Router(config)#access-list 130 deny tcp 153.36.0.0 0.1.255.255 any eq 139 --- (208.250.0.0-208.251.255.255) Router(config)#access-list 130 deny tcp 208.250.0.0 0.1.255.255 any eq 139 --- (208.252.0.0-208.255.255.255) Router(config)#access-list 130 deny tcp 208.252.0.0 0.3.255.255 any eq 139 --- ALLOW everything else - without this, nothing will get through. Router(config)#access-list 130 permit ip any any --- No select the interface you want to filter at, pref. the one connected --- to your upstream provider... Router(config)#int s0 --- apply access list 130 to this interface, for incoming packets only Router(config-int)#ip access-group 130 in --- exit and save to nvram Router(config-int)#exit Router(config)#exit Router#write mem --- or use 'copy running startup' Now you'll be blocking all tcp connections from anywhere in those netblocks to any internal host on port 139. If you want nothing at all to get thru the router to 139 then substitute 0.0.0.0 for the IP blocks I used in the example above. HTH. HAND. Jean Francois Sends... President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US Director Of Managed Services - OpNIX,Inc., www.opnix.com OpNIX - Simply Better Bandwidth