Date: Wed, 11 Feb 1998 23:07:33 -0600 From: "Jeffrey J. Mountin" <mountin.man@mixcom.com> To: Kevin Day <toasty@home.dragondata.com>, isp@FreeBSD.ORG Subject: Re: Access lists Message-ID: <3.0.3.32.19980211230733.0072d2c8@198.137.186.100> In-Reply-To: <199802112305.RAA05162@home.dragondata.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:05 PM 2/11/98 -0600, Kevin Day wrote: > >This really has little to do with FreeBSD, but more towards ISP's... > >1) If you're not filtering your outgoing packets with router access lists, a >firewall, or anything else. Please do. Make sure packets from your class C >(or whatever else you may have) are the only things getting out. Some think of the incoming to protect their network, but forget about the friendly-neighbor part and don't filter outgoing. >2) You improve your own security by quite a bit by filtering what comes in >to you. Don't let your router accept packets that look like they're form >your class C, from the wrong side of the net, don't accept any packets from >127.*.*.*, or any broadcast addresses... > >If you've got a cisco, here's a sample configuration. > >interface Serial0 > ip access-group 101 in > ip access-group 102 out >! >no access-list 102 >no access-list 101 > >access-list 101 deny ip 204.137.237.0 0.0.0.255 any >! replace 204.137.237.0 with your class C address. I fyou dont' have a class >! C, you'll have to change the netmask that follows it. > >access-list 101 deny ip 127.0.0.0 0.255.255.255 any >! Don't let people spoof the loopback addresses. > >access-list 101 deny ip 10.0.0.0 0.255.255.255 any >access-list 101 deny ip 172.16.0.0 0.15.255.255 any >access-list 101 deny ip 192.168.0.0 0.0.255.255 any >!Don't let people spoof, or otherwise use 'internal/test' IP's. > >access-list 101 deny ip any 0.0.0.255 255.255.255.0 >access-list 101 deny ip any 0.0.0.0 255.255.255.0 >! Don't let people use .255 or .0 addresses. >access-list 101 permit ip any any > > >access-list 102 permit ip 204.137.237.0 0.0.0.255 any >!Only let my IP range out, nothing more. > >access-list 102 deny ip any any A good start, but blocking sensitive ports or those that should be internal only, like NFS: acce 100 deny tcp any any eq 520 log acce 100 deny udp any any eq 520 log acce 100 deny tcp any any eq 2049 log acce 100 deny udp any any eq 2049 log acce 100 deny tcp any any eq 111 log acce 100 deny udp any any eq 111 log (uucp has to come through SMTP and the proxy handling it) acce 100 deny udp any any eq 1645 log acce 100 deny udp any any eq 1646 log Not to mention telnet ports to the routers and such, SNMP, NIS (if in use), syslog, etc. Also a good idea to only allow SMTP to either you mail server(s) or hub(s), so they don't decide to relay off say your web server. DNS zone transfers should only be allowed from trusted servers: acce 100 permit tcp <trusted_server> any eq 53 >For those of you not convinced that each of those are needed, here's a >report after only 2 days of use. I saw a lot for 2049 and 520. Before it was filtered an NFS attack all but killed one server. Load of 100+ and it was rebooted, after a long time logging in, typing, and waiting for a response. >Does anyone have any suggestions for any other lines to add? Sure. Fine the incoming filter at the router is coming along, but what about dial-in users? Not good to let dial-in have access to some ports and often overlooked. If you don't use something, get it out of inetd.conf, fer gossake. Oh, your dial-in equipment should prevent spoofing and block ports locally that you don't want them accessing as well. To be an even better "neighbor" the outgoing could prevent sensitive ports as well as spoofing. Don't see any reason to let the dangerous 3 (512, 513, 514) out of the network and wonder why anyone would allow them inbound. Same for RADIUS, NIS, etc, but one could also have the if they don't bother, f' em. Now what about spamming. This could very well piss off users that dial-in elsewhere as well. Besides allowing incoming SMTP to only the server(s) that you want used. Dial-in users could be forced to only use local SMTP servers, preventing relaying off other servers for spamming. Along with blocking relay this is something that should be used, but may meet a lot of resistance in an ISP environment. Never did it myself, but very seriously though of doing so. >If you don't know your way around a Cisco's config, don't blindly go adding >things. :) Have your Cisco guru do it, rather than killing me later. :) Order is important as well. With some tweaking a 'estab' can tighten things even more, but takes some thought for an ISP filter. >This e-mail comes form frustration out of people spoofing like crazy lately. >:) Just the glorified baby-sitting involved when running an ISP. I'm more ruthless dealing with a private network now. Either way I have large filters. ;) Jeff Mountin - Unix Systems TCP/IP networking mountin.man@mixcom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19980211230733.0072d2c8>