I would like to block ports UDP 137(name services) and UDP 138 (datagram services) and TCP 139(session services). How would i go about doing this via an extended access list and would i just need to implememnt on the WAN inbound? I have had a hack where a service was loaded and have been informed these will stop it in the future after rebuilding the server?? any help would be appreciated!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
blocking ports via extended access lists
- Thread starter ninaj
- Start date
access-list 101 deny udp any any eq 137
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
make sure that you allow neccessary Internet return traffic back in.
also deny that from going out as you will see that 137 is being broadcast all over the Internet if you have a syslog server in place
access-list 102 deny udp any any eq 137
access-list 102 deny udp any any eq 138
access-list 102 deny udp any any eq 139
access-list 102 permit ip any any
interface e1 (outside interface)
access-group 101 in
access-group 102 out
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
make sure that you allow neccessary Internet return traffic back in.
also deny that from going out as you will see that 137 is being broadcast all over the Internet if you have a syslog server in place
access-list 102 deny udp any any eq 137
access-list 102 deny udp any any eq 138
access-list 102 deny udp any any eq 139
access-list 102 permit ip any any
interface e1 (outside interface)
access-group 101 in
access-group 102 out
- Thread starter
- #3
when an access-list is being defined, you usually only HAVE to specify traffic that is allowed in (this includes Internet return traffic). There is an 'implied/invisible' 'deny all' at the end of the acls that denies any other traffic from entering.
think about tcp setup and connection-establishment/synchronization via SYN-SYNACK-ACK.
inside PC's send a request for a httpservice on the Internet
internalPC --SYN-->Router--SYN--->OutsideWebServer
internalPC <--SYNACK--Router--SYNACK---OutsideWebServer
internalPC --ACK-->Router--ACK--->OutsideWebServer
---now the internal pc can browse web pages---
BUT if you just issue all deny statements in the acl (and remember the implied/invisible deny all at the end.
internalPC --SYN-->Router--SYN--->OutsideWebServer
internalPC <-------Router--SYNACK---OutsideWebServer
the router would block the return traffic and the connection would never be established. You couldn't ping or test your links either because everything else would be denied in.
but the workaround is to include the 'established' keyword in a permit statement in the inbound access-list
access-list 101 deny udp any any eq 137
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any echo any (if needed)
*access-list 101 permit tcp any any established*
*this basically says "allow traffic to come back in ONLY for services that we asked for in the first place" then the SYNACK packet can come back into the network and the connection can be established. the problems come in with udp and icmp because they don't set up connections.
although a better solution would be to use a router with the stateful firewall feature set CBAC. You can set it up to watch all internal to external connection and only allow back in what you sent out for (unless config'd in an acl, acls overide CBAC). CBAC dynamically builds acl entries to allow return traffic from any outbound tcp and udp connnections. tcp is based on connection state and udp is based on time (-i.e. do not allow any udp pkts comming back in from that dst after 10 seconds of being idle)
in my experience, i have always been bless to install routers with CBAC (stateful firewall feature set) as perimiter devices.
think about tcp setup and connection-establishment/synchronization via SYN-SYNACK-ACK.
inside PC's send a request for a httpservice on the Internet
internalPC --SYN-->Router--SYN--->OutsideWebServer
internalPC <--SYNACK--Router--SYNACK---OutsideWebServer
internalPC --ACK-->Router--ACK--->OutsideWebServer
---now the internal pc can browse web pages---
BUT if you just issue all deny statements in the acl (and remember the implied/invisible deny all at the end.
internalPC --SYN-->Router--SYN--->OutsideWebServer
internalPC <-------Router--SYNACK---OutsideWebServer
the router would block the return traffic and the connection would never be established. You couldn't ping or test your links either because everything else would be denied in.
but the workaround is to include the 'established' keyword in a permit statement in the inbound access-list
access-list 101 deny udp any any eq 137
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any echo any (if needed)
*access-list 101 permit tcp any any established*
*this basically says "allow traffic to come back in ONLY for services that we asked for in the first place" then the SYNACK packet can come back into the network and the connection can be established. the problems come in with udp and icmp because they don't set up connections.
although a better solution would be to use a router with the stateful firewall feature set CBAC. You can set it up to watch all internal to external connection and only allow back in what you sent out for (unless config'd in an acl, acls overide CBAC). CBAC dynamically builds acl entries to allow return traffic from any outbound tcp and udp connnections. tcp is based on connection state and udp is based on time (-i.e. do not allow any udp pkts comming back in from that dst after 10 seconds of being idle)
in my experience, i have always been bless to install routers with CBAC (stateful firewall feature set) as perimiter devices.
AXISPNOC
IS-IT--Management
- Jun 11, 2003
- 22
gconnect! TIA - Here is my question. I am a small ISP with about 1000 subs, I have Cisco 2600 router with 2 Serial Interfaces (3MB Aggregated Circuit) and 1 FastEthernet and would like to block the same ports above and LDAP (389) and TS (3389), but only to users outside of the router. Internally I use NB, LDAP and TS. I use TS internally and for external I have TSWeb on a SSL Server. However here is my problem. When I implement the above config, it stops everything. I understand about the implied deny all. I tried to permit on 101 everything I wanted, thought that worked, but internally I had a nightmare getting to the systems. I am not running NAT, I know I probably should, however this is production environment and I can afford to take it down to set NAT in place, at least not right now. I am familiar with Router programming, however I am not familiar with access-lists. Any help would be greatly appreciated.
This is what I tried:
access-list 101 deny udp any any eq 137
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
access-list 101 deny udp any any eq 389
access-list 101 deny tcp any any eq 389
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 25
access-list 101 permit tcp any any eq 110
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 443
access-list 101 permit ip any any
access-list 102 deny udp any any eq 137
access-list 102 deny udp any any eq 138
access-list 102 deny udp any any eq 139
access-list 102 permit ip any any
interface Serial 0/0
access-group 101 in
access-group 102 out
interface Serial 0/1
access-group 101 in
access-group 101 out
I worked through the night (3:00am is the best time for stuff like this), to no avail. I am sure I am missing something. Go easy on me ;-)
Thanks,
Jim
This is what I tried:
access-list 101 deny udp any any eq 137
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
access-list 101 deny udp any any eq 389
access-list 101 deny tcp any any eq 389
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 25
access-list 101 permit tcp any any eq 110
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 443
access-list 101 permit ip any any
access-list 102 deny udp any any eq 137
access-list 102 deny udp any any eq 138
access-list 102 deny udp any any eq 139
access-list 102 permit ip any any
interface Serial 0/0
access-group 101 in
access-group 102 out
interface Serial 0/1
access-group 101 in
access-group 101 out
I worked through the night (3:00am is the best time for stuff like this), to no avail. I am sure I am missing something. Go easy on me ;-)
Thanks,
Jim
Frenchie2069
MIS
int s0/1 has the same acl in and out.
Also, you should consider adding a log entry at the end of each acl:
access-list 101 deny udp any any eq 137
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
access-list 101 deny udp any any eq 389
access-list 101 deny tcp any any eq 389
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 25
access-list 101 permit tcp any any eq 110
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 443
access-list 101 permit ip any any
access-list 101 deny ip any any log
access-list 102 deny udp any any eq 137
access-list 102 deny udp any any eq 138
access-list 102 deny udp any any eq 139
access-list 102 permit ip any any
access-list 102 deny ip any any log
This way you will be able to see any traffic that is being blocked. It is also handy to do a show access-list x every now and again - the router will show you stats on how many times each acl entry has been matched - this will give you an idea of which entries are redundant.
Consider using CBAC (Context Based Access Control) if you router supports it. Try ip inspect ? in the global configuration mode - if it recognises it the CBAC is supported (requires firewall feature set). CBAC will modify your acls as traffic passes through the router.
If your router does not support CBAC, the you could add:
access-list 102 permit tcp any any established
to allow packets with the established flag on. This is dangerous as it can potentially allow hackers through by spoofing an established packet.
In general, my philosophy is to deny everything except traffic that is absolutely necessary. Typically, an inbound acl for a server might look like:
access-list 101 permit tcp any x.x.x.x eq 80
access-list 101 permit tcp any x.x.x.x eq 443
access-list 101 permit tcp any x.x.x.x eq 25
access-list 101 permit tcp any x.x.x.x range 20 21
access-list 101 permit udp any x.x.x.x eq 53
access-list 101 permit ip any any log
This allows http, https, smtp, ftp and dns to your server (respectively), everything else is denied and logged.
I personally never use any as the destination in an acl - it is risky and you should know what the IP addresses are anyway...
You could start with:
access-list 102 deny ip any any log
for your outbound and watch what gets blocked and modify your acl accordingly.
Also consider using a syslog server inside your network (like and add the following commands:
logging x.x.x.x
logging trap info
where x.x.x.x is the IP address of your syslog server. This way you can see all of the attacks on your router long term.
HTH,
Michael.
Also, you should consider adding a log entry at the end of each acl:
access-list 101 deny udp any any eq 137
access-list 101 deny udp any any eq 138
access-list 101 deny udp any any eq 139
access-list 101 deny udp any any eq 389
access-list 101 deny tcp any any eq 389
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 25
access-list 101 permit tcp any any eq 110
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 443
access-list 101 permit ip any any
access-list 101 deny ip any any log
access-list 102 deny udp any any eq 137
access-list 102 deny udp any any eq 138
access-list 102 deny udp any any eq 139
access-list 102 permit ip any any
access-list 102 deny ip any any log
This way you will be able to see any traffic that is being blocked. It is also handy to do a show access-list x every now and again - the router will show you stats on how many times each acl entry has been matched - this will give you an idea of which entries are redundant.
Consider using CBAC (Context Based Access Control) if you router supports it. Try ip inspect ? in the global configuration mode - if it recognises it the CBAC is supported (requires firewall feature set). CBAC will modify your acls as traffic passes through the router.
If your router does not support CBAC, the you could add:
access-list 102 permit tcp any any established
to allow packets with the established flag on. This is dangerous as it can potentially allow hackers through by spoofing an established packet.
In general, my philosophy is to deny everything except traffic that is absolutely necessary. Typically, an inbound acl for a server might look like:
access-list 101 permit tcp any x.x.x.x eq 80
access-list 101 permit tcp any x.x.x.x eq 443
access-list 101 permit tcp any x.x.x.x eq 25
access-list 101 permit tcp any x.x.x.x range 20 21
access-list 101 permit udp any x.x.x.x eq 53
access-list 101 permit ip any any log
This allows http, https, smtp, ftp and dns to your server (respectively), everything else is denied and logged.
I personally never use any as the destination in an acl - it is risky and you should know what the IP addresses are anyway...
You could start with:
access-list 102 deny ip any any log
for your outbound and watch what gets blocked and modify your acl accordingly.
Also consider using a syslog server inside your network (like and add the following commands:
logging x.x.x.x
logging trap info
where x.x.x.x is the IP address of your syslog server. This way you can see all of the attacks on your router long term.
HTH,
Michael.
- Status
