[afnog] Help on Access list Evaluation

Philip Smith pfs at cisco.com
Mon Jul 17 17:06:43 EAT 2006


Mangaliso,

Few cents worth from me, in addition to Brian's excellent advice....

Brian Candler said the following on 17/7/06 19:33:
>>>
>>> access-list 101 deny   tcp any any eq 135
>>> access-list 101 deny   udp any any eq 135
>>> access-list 101 deny   tcp any any eq 445
>>> access-list 101 deny   udp any any eq 445
>>> access-list 101 deny   tcp any any eq 5554
>>> access-list 101 deny   udp any any eq 5554
>>> access-list 101 deny   tcp any any eq 9996
>>> access-list 101 deny   udp any any eq 9996
>>> access-list 101 deny   tcp any any eq 139
>>> access-list 101 deny   udp any any eq netbios-ss
>>> access-list 101 deny   tcp any any eq 136
>>> access-list 101 deny   udp any any eq 136
>>> access-list 101 deny   tcp any any eq 137
>>> access-list 101 deny   udp any any eq netbios-ns
>>> access-list 101 deny   tcp any any eq 138
>>> access-list 101 deny   udp any any eq netbios-dgm
>>> access-list 101 deny   icmp any any
>>> access-list 101 deny   tcp any any eq smtp
>>> access-list 101 permit ip any any

It might be fine filtering all these, but do you have a reason for
filtering them? "sh access-list 101" will tell you how many hits each
entry is getting - if there are no hits, no point filtering.

As others have said, use netflow to figure out what's going on, and then
filter those. "sh ip cache flow" on the router will tell you all you
need to know. The most recent versions can tell you top-talkers, etc,
saving you having to do lots of analysis off the router.

> The rule "deny icmp any any" is extremely *dangerous* and should be removed.
> In particular, it prevents TCP Path MTU Discovery from working. With this
> rule in place, you will find you are unable to connect to seemingly random
> bits of the Internet - such as people on the end of DSL lines using PPPoE,
> where the MTU is 1492 instead of 1500.
> 
> ICMP is not an optional extra which can be blocked at whim. People who do
> this are helping to add to instability of the Internet.

Hear Hear!!!

If you or anyone else doesn't believe Brian, have a read of
http://www.cymru.com/Documents/icmp-messages.html - the advice there is
considered better practice if you want to filter ICMP messages.

But then again, ask yourself what you are filtering and why. Put a
filter in to prevent something, not because someone wrote it down
somewhere. ;-)

philip
--



More information about the afnog mailing list