The following access list examples are designed based upon many of the well-known port numbers found within the TCP/IP protocol stack. For a list of some of the more common well-known port numbers, refer to Table 10-2, which appears later in the case study.
The following two access-list commands will allow Domain Name System (DNS, port 53) and Network Time Protocol (NTP, port 123) requests and replies based upon their TCP/IP port addresses: access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53 access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 123 The following command denies the Network File Server (NFS) User Datagram Protocol (UDP, port 2049) port: access-list 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 2049 The following commands deny OpenWindows on ports 2001 and 2002 and deny X11 on ports 6001 and 6002. This protects the first two screens on any host. If you have any machine that uses more than the first two screens, be sure to block the appropriate ports. access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255. 255.255 eq 6001 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255. 255.255 eq 6002 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255. 255.255 eq 2001 access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255. 255.255 eq 2002 The following command permits Telnet access from anyone to the communication server (125.50.13.2): access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.2 0.0.0.0 eq 23 The following commands permit FTP access from anyone to the host 125.50.13.100 on subnet 125.50.13.0: access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 eq 21 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 eq 20 For the following examples, network 125.50.1.0 is on the internal network as shown in Figure 10-3. The following access-list commands permit TCP and UDP connections for port numbers greater than 1023 to a very limited set of hosts. Make sure no communication servers or protocol translators are in this list. access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100 0.0.0.0 gt 1023 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.101 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.1.100 0.0.0.0 gt 1023 access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.1.101 0.0.0.0 gt 1023 Standard FTP uses ports above 1023 for their data connections; therefore, for standard FTP operation, ports above 1023 must all be open. For more details, see the File Transfer (FTP) Port Questions later in the Additional Firewall Security Considerations section of this case study. The following access-list commands permit DNS access to the DNS server(s) listed by the Network Information Center (NIC): access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 eq 53 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100 0.0.0.0 eq 53 The following commands permit incoming Simple Mail Transfer Protocol (SMTP) e-mail to only a few machines: access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100 0.0.0.0 eq 25 access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100 0.0.0.0 eq 25 The following commands allow internal Network News Transfer Protocol (NNTP) servers to receive NNTP connections from a list of authorized peers: access-list 101 permit tcp 56.1.0.18 0.0.0.1 125.50.1. 100 0.0.0.0 eq 119 access-list 101 permit tcp 182.12.18.32 0.0.0.0 125.50.1. 100 0.0.0.0 eq 119 The following command permits Internet Control Message Protocol (ICMP) for error message feedback: access-list 101 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
|