訪問列表參數
Template Parameter Access List
My friend
Mike Storm
has come up
with a good "base" ACL for use on Internet facing routers and firewall devices. While he has it listed on
his blog
, I am referencing it here for my own future reference
Assuming my PubNet range is a block of 32 66.238.29.0 - 31. See below
! no fragments
access-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments
! no snmp inbound from the Internet
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 14.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 198.18.0.0 0.0.255.255 any log
access-list 100 deny ip 66.238.29.0 0.0.0.31 any log
! no routing protocols inbound (unless needed)
access-list 100 deny tcp any any eq bgp log
access-list 100 deny tcp any eq bgp any log
access-list 100 deny ipinip any any
access-list 100 deny gre any any
access-list 100 deny pim any any
access-list 100 deny 90 any any
access-list 100 deny ospf any any log
access-list 100 deny eigrp any any log
access-list 100 deny udp any eq rip any log
access-list 100 deny udp any any eq rip log
access-list 100 permit now begins your permits...if any
access-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments
! no snmp inbound from the Internet
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 14.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 198.18.0.0 0.0.255.255 any log
access-list 100 deny ip 66.238.29.0 0.0.0.31 any log
! no routing protocols inbound (unless needed)
access-list 100 deny tcp any any eq bgp log
access-list 100 deny tcp any eq bgp any log
access-list 100 deny ipinip any any
access-list 100 deny gre any any
access-list 100 deny pim any any
access-list 100 deny 90 any any
access-list 100 deny ospf any any log
access-list 100 deny eigrp any any log
access-list 100 deny udp any eq rip any log
access-list 100 deny udp any any eq rip log
access-list 100 permit now begins your permits...if any
Notes:
192.0.2.0 0.0.0.255 any log ( range known to be used exploit default pw on WLA devices )
4.0.0.0 0.255.255.255 any log ( Known as Net-14, a Public use network, possibly used by attackers )
69.254.0.0 0.0.255.255 any log ( RFC2026 Link Local )
198.18.0.0 0.0.255.255 any log ( block for benchmark tests of network interconnect devices, RFC2544 )
192.0.2.0 0.0.0.255 any log ( range known to be used exploit default pw on WLA devices )
4.0.0.0 0.255.255.255 any log ( Known as Net-14, a Public use network, possibly used by attackers )
69.254.0.0 0.0.255.255 any log ( RFC2026 Link Local )
198.18.0.0 0.0.255.255 any log ( block for benchmark tests of network interconnect devices, RFC2544 )
相關文章
- 1. 16:倒數訪問列表,獲取列表中的數字
- 2. 17:訪問列表中子列表
- 3. 訪問控制列表ACL
- 4. Linux 訪問控制列表
- 5. 訪問控制列表(ACL)
- 6. ACL(訪問控制列表)
- 7. ACL 訪問控制列表
- 8. 訪問控制列表
- 9. ACL訪問控制列表
- 10. 訪問控制列表(一)
- 更多相關文章...
- • Swift 訪問控制 - Swift 教程
- • Lua 數據庫訪問 - Lua 教程
- • Flink 數據傳輸及反壓詳解
- • TiDB 在摩拜單車在線數據業務的應用和實踐
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 16:倒數訪問列表,獲取列表中的數字
- 2. 17:訪問列表中子列表
- 3. 訪問控制列表ACL
- 4. Linux 訪問控制列表
- 5. 訪問控制列表(ACL)
- 6. ACL(訪問控制列表)
- 7. ACL 訪問控制列表
- 8. 訪問控制列表
- 9. ACL訪問控制列表
- 10. 訪問控制列表(一)