Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
I'll respond as I own one of these little devils. this box allows you to do just enough to be dangerous.
Packet filtering is an all or nothing endeavor in CBOS. Once Packet Filtering is enabled by creating just one filter, the device defaults to disallowing all packets. You must then tell the device what packets to let through. Filters are executed sequentially, 0-19.
So, we put our ALLOW filters at the end of the list (16-19) and our DENY filters at the top of the list.
This pair of filters opens the router to all TCP traffic:
set filter 18 on allow outgoing wan0-0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol tcp srcport 1-65535 destport 1-65535
set filter 19 on allow incoming wan0-0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol tcp srcport 1-65535 destport 1-65535
This pair of filters opens the router to all UDP traffic:
set filter 16 on allow outgoing wan0-0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol udp srcport 1-65535 destport 1-65535
set filter 17 on allow incoming wan0-0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol udp srcport 1-65535 destport 1-65535
Cisco engineers: It would be nice to have "both" or "all" options for some of these parameters, like direction.
Now that your router is open to all traffic, you need to block your incoming hackers.
This one disallows spoofiing on the 10.0.0.0 network.
set filter 0 on deny incoming wan0-0 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 protocol tcp srcport 1-65535 destport 1-65535
Likewise, you might put up filters for the other unroutable networks.
Since you only have 20 filters, you have to be creative in how they are applied. Always look for the filter that does the most for you. For example, if you want to disallow all "well known services" coming into your network:
set filter 5 on deny incoming wan0-0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol tcp srcport 1-65535 destport 1-1024
I've found that testing after each application is the way to go.
Also, you don't need to reboot between applications of filters. They are applied immediately, without write/reboot.
Good luck with your sorcery.
One more thing....update your CBOS to the latest version, which I believe is 2.4.3
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.