How about some land and titles in Northern Wisconsin? I can also give you the hand of my firstborn daughter in marriage and a dowry of llamas and pigs. That is all i have to work with here. OK sorry for the silly post, but the caffine is at peak concentration in my blood. - Joel ----- Original Message ----- From: "J.L.Francois" To: Sent: Tuesday, July 25, 2000 11:49 AM Subject: Re: off topic: Cisco access lists > It seems like on Tue, Jul 25, 2000 at 11:15:29AM -0700, Mike Starke scribbled: > Orig Msg> I too would be interested if you wouldn't mind > Orig Msg> passing along the info. > Orig Msg> > Orig Msg> On Tue, Jul 25, 2000 at 10:49:17AM -0700, Joel Dudley wrote: > Orig Msg> This is exactly what I was looking for! Thanks a ton. I thank you for your > Orig Msg> generosity. I wish there were a way for me to return the favor. > Orig Msg> > Orig Msg> - Joel > > Standard Fee: > 1 - suckling pig > 1 - yearling goat > Perform standard RFC compliant ritual sacrifice as > needed until I am pleased :) > NOTE: No burnt offerings as I am trying to quit smoking. > > ============================================== > Sample Cisco ACL to block an incoming port > ============================================== > > Here's an extended access list you would use to block netblocks from > reaching your Windows Boxen. > I'm choosing to use an access-list id of 130 just for example. > > --- go into config mode > Router#config term > --- clear the access list if it existed > Router(config)#no access-list 130 > --- allow established connections (this is generally a good idea) > Router(config)#access-list 130 permit tcp any any established > --- allow connections from trusted networks to anywhere (class-C) > Router(config)#access-list 130 permit tcp 204.99.99.0 0.0.0.255 any > --- ... and a class-B - notice access-lists use wildcard masks - the > --- exact opposite of netmasks. > Router(config)#access-list 130 permit tcp 149.11.0.0 0.0.255.255 any > --- start denying evil connections (153.34.0.0-153.35.255.255) > Router(config)#access-list 130 deny tcp 153.34.0.0 0.1.255.255 any eq 139 > --- (153.36.0.0-153.37.255.255) > Router(config)#access-list 130 deny tcp 153.36.0.0 0.1.255.255 any eq 139 > --- (208.250.0.0-208.251.255.255) > Router(config)#access-list 130 deny tcp 208.250.0.0 0.1.255.255 any eq 139 > --- (208.252.0.0-208.255.255.255) > Router(config)#access-list 130 deny tcp 208.252.0.0 0.3.255.255 any eq 139 > --- ALLOW everything else - without this, nothing will get through. > Router(config)#access-list 130 permit ip any any > --- No select the interface you want to filter at, pref. the one connected > --- to your upstream provider... > Router(config)#int s0 > --- apply access list 130 to this interface, for incoming packets only > Router(config-int)#ip access-group 130 in > --- exit and save to nvram > Router(config-int)#exit > Router(config)#exit > Router#write mem > --- or use 'copy running startup' > > Now you'll be blocking all tcp connections from anywhere in those netblocks > to any internal host on port 139. > If you want nothing at all to get thru the router to 139 then substitute > 0.0.0.0 for the IP blocks I used in the example above. > > > HTH. HAND. > Jean Francois Sends... > President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US > Director Of Managed Services - OpNIX,Inc., www.opnix.com > OpNIX - Simply Better Bandwidth > > > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss