Internet Filters

Internet Filters

Post by Jay Barn » Tue, 25 Jul 1995 04:00:00



Can anyone help me with _generic_ filters/commands/configurations that
should be applied to a cisco 2500 running 10.3 software operating as an
Internet router (between our ISP and our firewall)?  I'm not worried about
site-specific ACLs, protection policies, etc.  Those I will sort out myself
in conjunction with a seperate firewall.  What I'm looking for is, for
example, in the same vein as "no source routing", "no telnet", etc.

Perhaps there's a FAQ I should be reading ...

Jay
            Web surfing is for people  <|  who don't know how to SAIL
                                       /|\    
                                 _____/ | \________  
                                /    /  |  \       \
                               /    /   |   \       \    /\
                          /\  /    /____|    \       \  /  \
                         /  \/   _______|_____\__     \/    \
                        /        \  Jay Barnes  /            \
                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 
 
 

1. Need starting Internet filter rules for IOS/700 (Cisco 776M)

I saw a note about this from somebody else in comp.dcom.isdn, and I am
pretty much in the same situation.  Since I haven't seen an answer yet...

I have a Cisco 776M for connecting to the Internet.  On the local side of
the router it's a SOHO LAN, TCP/IP over Ethernet, with four to five
Win95-based machines and, later, one NT box and possibly a Linux box.  
There are a couple of printers on micro-servers, so I'm not doing any
printer sharing, however one selected directory on each machine *is* set
up for read-only file sharing.

Does anyone have a group of filter rules for the 700 series that is
reasonably safe for connecting a LAN supporting file-sharing Win95 to the
'Net?  

I have some rules from Cisco that will prevent loopback attacks and so
on, and I know how to block NetBios queries and local LAN traffic from
making it out to the Internet.  What I *don't* have is a clear enough
understanding of things to be sure I'm correctly setting up filters to
prevent people from getting into the LAN.  

I will be offering no services, and there will be no ISDN dial-in
capabilities.  Basically, anything that comes to me unrequested (with the
SYN flag set, I assume?) from the WAN side, I want to reject with extreme
prejudice... but I still want to be able to FTP, etc.  I have a dynamic
IP address, and I am running NAT inside the box so *supposedly*, I am
told, it wouldn't be possible to get anything useful back onto the LAN
even via IP spoofing.  But before I get complacent, I wanted to ask the
gurus.

So, how about it?  Has anyone who would be willing to share, set up a
batch of IOS-700 filters that makes a reasonable firewall (well, as best
as is possible with packet-level filtering within a router)?

(BTW, I have an old 486 or a slow Pentium I could press into service with
a couple of NICs to insert a "real" firewall (proxy server, etc.)  If
anyone has thoughts or recommendations I would love to hear them... but
I'd still like to do the best possible job with the router filtering,
too.)

Thanks,
James

2. MS LanMgr and SB16 CDROM

3. Internet Filtering

4. Get personalized properties

5. Need starting Internet filter rules for IOS/700 (Cisco 776M)

6. IE defaults to Network

7. Internet Filtering

8. adding a text element to a text node in Basic!

9. Internet Filtering Software

10. default internet router filter

11. Cisco 675, Filters and Internet Server - Help!