Re: land protection for cisco

Richard Huddleston (huddler@EARTHLINK.NET)
Fri, 21 Nov 1997 15:04:53 -0500

Minor corrections:

1) Each interface typically belongs to a distinct network, and therefore
typically has a unique IP address. Setting up a SINGLE access-group,
with the SINGLE address of one of your interfaces as its filtering rule,
and then applying that SINGLE access-group to each of your interfaces
(i.e., different IP addresses) won't work. (A router already implements
such a "rule" by the very nature of what it does: by forwarding packets
for a given address through the proper route, it does not forward packets
through inappropriate routes. The access-group rule given would be
vacuous for every interface except the one matching its IP address rule.)

I'd suggest that you create an access-group for EACH interface, and then
apply the appropriate one to the given interface.

2) If you're trying to protect internal devices, as well, you may as well
go ahead and filter for the entire subnet with the access-group definition.
That way, you'll nail both attempts to hit the router interface per se, and
block attempts to get through to internal machines.

./R*

At 05:01 PM 11/21/97 +0200, Stefan Stefanov wrote:
>hi.
>
>Here is a simple protection against the land stuff for the cisco's. It's a
>extended ip access list that should be put on all the intefaces on the
>box.
>
>Extended IP Access list 105
>deny tcp host 111.111.111.111 host 111.111.111.111
>permit ip any any
>
>where 111.111.111.111 is the interface's ip address. This should be put
>as
>an input access-group.
>
>Or if you don't get it here's what to type on your cisco's console.
>
>rtr#config terminal
>rtr(config)#access-list 105 deny tcp 111.111.111.111 0.0.0.0
111.111.111.111 0.0.0.0
>rtr(config)#access-list 105 permit ip any any
>rtr(config)#interface ethernet 0
>rtr(config)#ip access-group 105 in
>rtr(config)#exit
>rtr(config)#interface serial 0
>rtr(config)#ip access-group 105 in
>
>and so on for the rest of the interfaces... Replace 105 with a free
>extended access-list number.
>
>I have tested it on our cisco 2511 and it works just ok.
>
>Best regards, Stefan Stefanov.
>
>WWW: http://www.bis.bg/~stefan
>E-mail: stefan@bis.bg
>
>

--
Somewhere lurking in the Ort Cloud there's a fifty-mile-wide asteroid
with our name on it.  We deserve it.    -- Alan C. Hines <ach@io.com>

huddler at earth link dot net