Contents: Packet Filters, Firewalls and Router ACLsParticular Examples


About this document

6. Router ACLs

A firewall can be created on network equipment — routers — in addition to on individual hosts. Advantages — compared to (only) on-host firewall:

Disadvantages:

6.1. An Example

For traffic from that network:

  Extended IP access list in586
     permit ip any host 130.88.149.82
         # ...honey-port...

     deny tcp any any eq 135 log (8 matches)
     deny tcp any any eq 445 log (7 matches)
         # ...std Windoze-related blocks...

     permit tcp 130.88.99.0 0.0.0.31 any (21101 matches)
     permit udp 130.88.99.0 0.0.0.31 any (954001 matches)
     permit icmp 130.88.99.0 0.0.0.31 any (7 matches)
         # ...allow "bottom eighth" of 130.88.99.* to send traffic 
         #    out (blocks spoofing)...

     permit udp any any eq bootps
         # ...allow DHCP requests out...

     deny ip any any
For traffic to that network:
  Extended IP access list out586
     permit tcp any eq 443 any
         # ...Solaris 10 uses HTTPS for patching, so allow return
         #    traffic from our connections to Sun's HTTPS servers...

     permit udp host 130.88.200.6 eq ntp any
     permit udp host 130.88.200.98 eq ntp any
     permit udp host 130.88.202.49 eq ntp any
     permit udp host 130.88.203.64 eq ntp any
     permit udp 130.88.119.64 0.0.0.3 eq ntp any
     permit udp 130.88.120.64 0.0.0.3 eq ntp any
         # ...allow us to talk to UMan's NTP servers...

     permit tcp host 130.88.96.39 any range 6050 6051
     permit udp host 130.88.96.39 any range 6050 6051
         # ...backups via Shaz's system...

     permit udp host 130.88.119.67 eq domain any
     permit tcp host 130.88.119.67 eq domain any
     permit udp host 130.88.120.67 eq domain any
     permit tcp host 130.88.120.67 eq domain any
         # ...ex-UMIST DNS servers: return traffic for our "nslookups"...

     permit tcp host 130.88.13.7 any eq smtp
     permit tcp host 130.88.94.110 any eq smtp
     permit tcp host 130.88.119.65 any eq smtp
     permit tcp host 130.88.119.66 any eq smtp
     permit tcp host 130.88.120.65 any eq smtp
     permit tcp host 130.88.120.66 any eq smtp
     permit tcp 130.88.200.92 0.0.0.1 any eq smtp
     permit tcp host 130.88.200.94 any eq smtp
     permit tcp host 130.88.200.144 any eq smtp
     permit tcp host 130.88.200.145 any eq smtp
         # ...allow mailrouters to connect to our machines (sendmail/exim) to 
         #    deliver email to our users...

     permit tcp host 130.88.119.75 eq pop3 any gt 1023
     permit tcp host 130.88.119.75 eq 143 any gt 1023
     permit tcp host 130.88.120.73 eq pop3 any gt 1023
     permit tcp host 130.88.120.73 eq 143 any gt 1023
         # ...POP & IMAP: return traffic from our connections to UMIST mail 
         #    servers [redundant, see "UNPRIV"]...

     permit tcp 130.88.0.0 0.0.255.255 any eq 744
     permit tcp 192.84.81.0 0.0.0.255 any eq 744
     permit tcp 192.84.82.0 0.0.0.255 any eq 744
     permit tcp 192.84.84.0 0.0.0.255 any eq 744
     permit tcp 192.150.177.0 0.0.0.255 any eq 744
     permit tcp 193.60.152.0 0.0.0.255 any eq 744
     permit tcp 194.66.31.0 0.0.0.255 any eq 744
         # ...allow incoming FlexLM-related connections from UMan --- our 
         #    machines are licence-servers...

     permit tcp any any eq 22 (1625 matches)
         # ...allow the world to SSH to us...

     #
     # LABEL: "UNPRIV"
     #
     permit tcp 130.88.0.0 0.0.255.255 any gt 1023 (2542 matches)
     permit tcp 192.84.81.0 0.0.0.255 any gt 1023
     permit tcp 192.84.82.0 0.0.0.255 any gt 1023
     permit tcp 192.84.84.0 0.0.0.255 any gt 1023
     permit tcp 192.150.177.0 0.0.0.255 any gt 1023
     permit tcp 193.60.152.0 0.0.0.255 any gt 1023
     permit tcp 194.66.31.0 0.0.0.255 any gt 1023
         # ...allow UMan to send us traffic to our unprivileged ports...

     permit udp host 130.88.201.28 gt 1023 any
     permit udp host 130.88.201.170 gt 1023 any
     permit udp host 130.88.203.173 gt 1023 any
         # ...return traffic from our applications' connections to
         #    Dave Buckley's licence servers [redundant, see "UNPRIV"]...

     permit tcp any range ftp-data telnet any gt 1023 (34 matches)
         # ...allow active-FTP --- allow active FTP data connections, i.e., from
         #    FTP-server on port 20, from world to us;  allow return traffic 
         #    from world for our out-bound telnet connections...

     permit tcp any range 6000 6999 any gt 1023 (289 matches)
     permit tcp any eq 7100 any gt 1023 (18 matches)
         # ...X11-related stuff (which has not been tunnelled through SSH)...

     permit tcp host 130.88.96.132 eq lpd any
         # ...return traffic from our printing connections...

     permit tcp host 10.2.100.241 any range 7937 9936
     permit udp host 10.2.100.241 any range 7937 9936
     permit tcp host 10.2.100.241 any range 10001 30000
     permit udp host 10.2.100.241 any range 10001 30000
     permit tcp 10.2.100.242 0.0.0.1 any range 7937 9936
     permit udp 10.2.100.242 0.0.0.1 any range 7937 9936
     permit tcp 10.2.100.242 0.0.0.1 any range 10001 30000
     permit udp 10.2.100.242 0.0.0.1 any range 10001 30000
     permit tcp 10.2.100.244 0.0.0.3 any range 7937 9936
     permit udp 10.2.100.244 0.0.0.3 any range 7937 9936
     permit tcp 10.2.100.244 0.0.0.3 any range 10001 30000
     permit udp 10.2.100.244 0.0.0.3 any range 10001 30000
     permit tcp 10.2.100.248 0.0.0.1 any range 7937 9936
     permit udp 10.2.100.248 0.0.0.1 any range 7937 9936
     permit tcp 10.2.100.248 0.0.0.1 any range 10001 30000
     permit udp 10.2.100.248 0.0.0.1 any range 10001 30000
         # ...backups...

     permit tcp host 130.88.200.53 any range 7937 9936
     permit udp host 130.88.200.53 any range 7937 9936
     permit tcp host 130.88.200.53 any range 10001 30000
     permit udp host 130.88.200.53 any range 10001 30000
         # ...backups...

     permit tcp any any eq 222
         # ...alternative SSH port...

     deny tcp 130.88.0.0 0.0.255.255 any range 135 139 (1384 matches)
     deny tcp 130.88.0.0 0.0.255.255 any eq 445 (869 matches)
         # ...std Windoze-related blocks...

     deny ip 130.88.0.0 0.0.255.255 any log (165 matches)
         # ...local (most) UMan stuff which is gonna be blocked by the line
         #    below...

     deny ip any any (199886 matches)
         # ...default-deny...


...previousup (conts)next...