[afnog] Help on Access list Evaluation

Brian Candler B.Candler at pobox.com
Mon Jul 17 12:33:19 EAT 2006 

On Mon, Jul 17, 2006 at 10:06:06AM +0200, Mark Tinka wrote:
> It really depends on your needs, but starting off with BCP-38 
> ingress filtering would be good:
> 
> http://www.armware.dk/RFC/bcp/bcp38.html
> 
> > access-list 101 deny   tcp any any eq 135
> > access-list 101 deny   udp any any eq 135
> > access-list 101 deny   tcp any any eq 445
> > access-list 101 deny   udp any any eq 445
> > access-list 101 deny   tcp any any eq 5554
> > access-list 101 deny   udp any any eq 5554
> > access-list 101 deny   tcp any any eq 9996
> > access-list 101 deny   udp any any eq 9996
> > access-list 101 deny   tcp any any eq 139
> > access-list 101 deny   udp any any eq netbios-ss
> > access-list 101 deny   tcp any any eq 136
> > access-list 101 deny   udp any any eq 136
> > access-list 101 deny   tcp any any eq 137
> > access-list 101 deny   udp any any eq netbios-ns
> > access-list 101 deny   tcp any any eq 138
> > access-list 101 deny   udp any any eq netbios-dgm
> > access-list 101 deny   icmp any any
> > access-list 101 deny   tcp any any eq smtp
> > access-list 101 permit ip any any

Note that that's completely differnet from bcp38.

bcp38 is about preventing spoofed packets, that is:

1. block packets entering your network whose source IP is one of your IPs
2. block packets leaving your network whose source IP is *not* one of yours

But otherwise you provide full IP connectivity - that is, you are still an
ISP.

The access list given is *not* suitable for use at an ISP, although bits of
it could be suitable for use by a customer. It blocks an arbitary set of TCP
and UDP ports. This denies people use of certain services across the
Internet. Arguably, most of these ports are to do with Windows services
which are known to be insecure.

In any case, this ruleset is no substitute for a proper firewall. It also
won't help you after a break-in has taken place; most trojans use dynamic
ports.

The rule "deny icmp any any" is extremely *dangerous* and should be removed.
In particular, it prevents TCP Path MTU Discovery from working. With this
rule in place, you will find you are unable to connect to seemingly random
bits of the Internet - such as people on the end of DSL lines using PPPoE,
where the MTU is 1492 instead of 1500.

ICMP is not an optional extra which can be blocked at whim. People who do
this are helping to add to instability of the Internet.

Regards,

Brian.

More information about the afnog mailing list