off topic: Cisco access lists

Joel Dudley joel@silverw.com
Tue, 25 Jul 2000 11:53:25 -0700 

How about some land and titles in Northern Wisconsin?  I can also give you
the hand of my firstborn daughter in marriage and a dowry of llamas and
pigs.  That is all i have to work with here.  OK sorry for the silly post,
but the caffine is at peak concentration in my blood.

- Joel

----- Original Message -----
From: "J.L.Francois" <frenchie@magusnet.gilbert.az.us>
To: <plug-discuss@lists.PLUG.phoenix.az.us>
Sent: Tuesday, July 25, 2000 11:49 AM
Subject: Re: off topic: Cisco access lists


> It seems like on Tue, Jul 25, 2000 at 11:15:29AM -0700, Mike Starke
scribbled:
> Orig Msg> I too would be interested if you wouldn't mind
> Orig Msg> passing along the info.
> Orig Msg>
> Orig Msg> On Tue, Jul 25, 2000 at 10:49:17AM -0700, Joel Dudley wrote:
> Orig Msg>  This is exactly what I was looking for!  Thanks a ton.  I thank
you for your
> Orig Msg>  generosity.  I wish there were a way for me to return the
favor.
> Orig Msg>
> Orig Msg>  - Joel
>
> Standard Fee:
> 1 - suckling pig
> 1 - yearling goat
> Perform standard RFC compliant ritual sacrifice as
> needed until I am pleased :)
> NOTE: No burnt offerings as I am trying to quit smoking.
>
> ==============================================
> Sample Cisco ACL to block an incoming port
> ==============================================
>
> Here's an extended access list you would use to block netblocks from
> reaching your Windows Boxen.
> I'm choosing to use an access-list id of 130 just for example.
>
> ---   go into config mode
> Router#config term
> ---   clear the access list if it existed
> Router(config)#no access-list 130
> ---   allow established connections (this is generally a good idea)
> Router(config)#access-list 130 permit tcp any any established
> ---   allow connections from trusted networks to anywhere (class-C)
> Router(config)#access-list 130 permit tcp 204.99.99.0 0.0.0.255 any
> ---   ... and a class-B - notice access-lists use wildcard masks - the
> ---   exact opposite of netmasks.
> Router(config)#access-list 130 permit tcp 149.11.0.0 0.0.255.255 any
> ---   start denying evil connections (153.34.0.0-153.35.255.255)
> Router(config)#access-list 130 deny tcp 153.34.0.0 0.1.255.255 any eq 139
> ---   (153.36.0.0-153.37.255.255)
> Router(config)#access-list 130 deny tcp 153.36.0.0 0.1.255.255 any eq 139
> ---   (208.250.0.0-208.251.255.255)
> Router(config)#access-list 130 deny tcp 208.250.0.0 0.1.255.255 any eq 139
> ---   (208.252.0.0-208.255.255.255)
> Router(config)#access-list 130 deny tcp 208.252.0.0 0.3.255.255 any eq 139
> ---   ALLOW everything else - without this, nothing will get through.
> Router(config)#access-list 130 permit ip any any
> ---   No select the interface you want to filter at, pref. the one
connected
> ---   to your upstream provider...
> Router(config)#int s0
> ---   apply access list 130 to this interface, for incoming packets only
> Router(config-int)#ip access-group 130 in
> ---   exit and save to nvram
> Router(config-int)#exit
> Router(config)#exit
> Router#write mem
> ---   or use 'copy running startup'
>
> Now you'll be blocking all tcp connections from anywhere in those
netblocks
> to any internal host on port 139.
> If you want nothing at all to get thru the router to 139 then substitute
> 0.0.0.0 for the IP blocks I used in the example above.
>
>
> HTH. HAND.
> Jean Francois Sends...
> President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US
> Director Of Managed Services - OpNIX,Inc., www.opnix.com
> OpNIX - Simply Better Bandwidth
>
>
>
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss