Edge router frewall

munawar.zeeshan · ‎06-23-2008

I have made an ACL to be applied to an edge router of an ISP. Please review and comments.

I am a bit confused about the first line.abut permitting established connections.Is its placement ok and if i need it?

Plz comments

access-list 110 permit tcp any any established

access-list 110 deny ip 127.0.0.0 0.255.255.255 any

access-list 110 deny ip 192.0.2.0 0.0.0.255 any

access-list 110 deny ip 224.0.0.0.0 255.255.255 any

access-list 110 deny ip host 255.255.255.255 any

access-list 110 deny ip host 0.0.0.0 any

access-list 110 deny ip 10.0.0.0 0.255.255.255 any

access-list 110 deny ip 172.16.0.0 0.15.255.255 any

access-list 110 deny ip 192.168.0.0 0.0.255.255 any

access-list 110 deny ip your Internet-routable subnet any

access-list 101 deny tcp any any eq 69

deny tcp any any eq 135

deny tcp any any eq 137

deny tcp any any eq 138

deny tcp any any eq 139

deny tcp any any eq 445

deny udp any any eq 445

access-list 101 deny tcp any any eq 161

access-list 101 deny tcp any any eq 162

access-list 101 deny tcp any any eq 1016

access-list 101 deny udp any any eq 1016

access-list 101 deny tcp any any eq 1120

access-list 101 deny tcp any any eq 1243

access-list 101 deny udp any any eq 1434

access-list 101 deny tcp any any eq 2048

access-list 101 deny udp any any eq 2048

access-list 101 deny udp any any eq 2140

access-list 101 deny udp any any eq 3150

access-list 101 deny tcp any any eq 4444

access-list 101 deny tcp any any eq 5554

access-list 101 deny udp any any eq 5554

access-list 101 deny tcp any any eq 6711

access-list 101 deny tcp any any eq 6776

access-list 101 deny tcp any any eq 7300

access-list 101 deny tcp any any eq 7597

access-list 101 deny tcp any any eq 9996

access-list 101 deny udp any any eq 9996

access-list 101 deny tcp any any eq 11000

access-list 101 deny tcp any any eq 21554

access-list 101 deny tcp any any eq 27374

access-list 101 deny udp any any eq 31337

access-list 101 deny tcp any any eq 31338

access-list 101 deny tcp any any eq 31339

access-list 110 permit icmp any any echo-reply

access-list 110 permit icmp any any unreachable

access-list 110 permit icmp any any time-exceeded

access-list 110 deny icmp any any

access-list 110 permit ip any any

Collin Clark · ‎06-23-2008

Why are there multiple ACL numbers? I maintain a current DoD/DISA complaint ACL here: http://packetpros.com/wiki/index.php/What%27s_the_current_DITSCAP/DIACAP_ACL_for_a_public_interface%3F

Hope that helps

munawar.zeeshan · ‎06-23-2008

That different ACL no. were just a mistake.

Anyhow i have a look at your ACL. Its much detailed.

I have a confusion regarding the established statement on the top of my ACL.Can u plz have a say on it ?

Collin Clark · ‎06-23-2008

With basic standard and static extended access lists, you can approximate session filtering by using the established keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session, and therefore, that the packet belongs to an established session.) This filter criterion would be part of an access list applied permanently to an interface.