On Mon, Nov 08, 1999 at 08:31:24AM +0100, Nico De Ranter wrote:
: portscans are a nuissance and definitly something to worry about since it
: normaly shows that people are trying to look for vulnerabilities on yous
: system.
Absolutely correct.
: However, I don't think it's reasonable to ask your ISP to take care
: about it since the only thing they could do is block external access to their
: customers ip-addresses.
Again, right on. I was getting scanned the other night. My fix to the
problem was to login to CCO (Cisco Connection Online), and grab the
newest image for my router (an 804 ISDN). I got 12.0.5T, with the IP/FW
feature set.
A quick:
ip inspect name fw realaudio timeout 300
ip inspect name fw udp timeout 15
ip inspect name fw tcp timeout 300
acc 111 deny ip my.net.block.here 0.0.0.15 any log
acc 111 permit tcp any my.net.block.here 0.0.0.15 eq 22
acc 111 permit tcp any my.net.block.here 0.0.0.15 eq 113
acc 111 deny ip any any
int s0
ip access-group 111 in
int e0
ip inspect fw in
and I was all set. IOS Firewall is good enough for me @ home. It's not
enough for a whole company, IMHO, but it's pretty good for home use..
That ACL (in order), provides anti-spoofing, permits inbound ssh, inbound
ident requests (which are serviced by nullidentd), then dumps all other
traffic. The IOS fw will dynamically open up ports for the reply traffic
that comes back. In the case of something like realaudio, oracle, or a
few other multiport services, they have made special inspection modules
to handle that traffic. All in all, not bad. It's nowhere near Check
Point, but it's still good stuff.
--
Jason Costomiris <><
Technologist, cryptogeek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
