[1828] in WWW Security List Archive
Re: Cisco access control
daemon@ATHENA.MIT.EDU (Brian W. Spolarich)
Tue Apr 16 02:42:29 1996
Date: Tue, 16 Apr 1996 00:48:12 -0400 (EDT)
From: "Brian W. Spolarich" <briansp@ans.net>
To: "Deloach, Scott D. SSgt" <DeloachS@emh.aon.af.mil>
cc: www-security <www-security@ns2.rutgers.edu>
In-Reply-To: <199604151928.PAA23382@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 15 Apr 1996, Deloach, Scott D. SSgt wrote:
> Can Anyone give me an example of what a Cisco access list would look like
> to give incoming access to SMTP access to a single IP and HTTP access to
> another IP and deny everthing else?
You'd need at least this for an inbound access list. I've found that you
want to be careful of such a strict policy. I myself prefer the "block
everything bad you know about and allow everything else", otherwise you
spend lots of time figuring out why something is broken, and/or
maintaining huge access lists and scratching your head all the time.
This is also something of a philosophical discussion, though, and a
religious debate. God grant thee wisdom, my son.
Cisco access lists are evaluated in the order they appear. The first
rule that applies to the packet is applied. This list also assumes
you're using standard 24-bit netmasking (i.e. 255.255.255.0)
! Allow ping packets
access-list 141 permit icmp any any
! Permit established sessions to continue
access-list 141 permit tcp any any established
! Allow mail access to the mail gateway.
access-list 141 permit tcp any 111.111.111.2 eq smtp
! Allow HTTP access to the WWW server.
access-list 141 permit tcp any 111.111.111.3 eq www
! If not permitted, deny it!
access-list 141 deny tcp any any
! Allow everything else (catchall for Routing etc.)
access-list 141 permit ip any any
Let me know if you'd rather see the other side of this: deny some, permit
all. I've put together access-lists for this as well.
-brian
--
Brian W. Spolarich - ANS CO+RE Systems - briansp@ans.net - (313)677-7311
We're Starfleet officers...weird is part of the job.
