[afnog] Help on Access list Evaluation

[Mark Tinka]

On Monday 17 July 2006 09:34, Mangaliso Jere wrote:

> I am experiencing an up surge of traffic on my network.

Hmmh, you don't say in which direction - on your network? From 
the Internet? To the Internet?

Do you have Netflow running, by any chance?

> At 
> the moment am reviewing my access-lists. If the are any other
> rules I can add.

It really depends on your needs, but starting off with BCP-38 
ingress filtering would be good:

http://www.armware.dk/RFC/bcp/bcp38.html

> access-list 101 deny   tcp any any eq 135
> access-list 101 deny   udp any any eq 135
> access-list 101 deny   tcp any any eq 445
> access-list 101 deny   udp any any eq 445
> access-list 101 deny   tcp any any eq 5554
> access-list 101 deny   udp any any eq 5554
> access-list 101 deny   tcp any any eq 9996
> access-list 101 deny   udp any any eq 9996
> access-list 101 deny   tcp any any eq 139
> access-list 101 deny   udp any any eq netbios-ss
> access-list 101 deny   tcp any any eq 136
> access-list 101 deny   udp any any eq 136
> access-list 101 deny   tcp any any eq 137
> access-list 101 deny   udp any any eq netbios-ns
> access-list 101 deny   tcp any any eq 138
> access-list 101 deny   udp any any eq netbios-dgm
> access-list 101 deny   icmp any any
> access-list 101 deny   tcp any any eq smtp
> access-list 101 permit ip any any
>
>
>
> This is the list I am using for my clients and of course I add
> some host routes for individual clients where necessary.

BCP-38 mentions this, but throwing your IP addresses in there and 
denying them from downstream access to the your network is 
logical, as no one should pretend to come from your network when 
they aren't.

I think a session was given on this during AfNOG-2006.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://listserv2.cfi.co.ug/pipermail/afnog/attachments/20060717/86cbc0c8/attachment.bin