Super-Networking Blog

Just wanted to post about controlling services like DNS, FTP, SMTP etc… If you don’t have a firewall and have a Cisco router you can control ports with ACLs. You will need to use an extended ACL so the that command will start out with “ip access-list extended” typically with these since it can be confusing when you have a lot of them use a name to describe either what traffic it is affecting for what you are trying to do with it. The command would look like this then “ip access-list extended test” test being the name of the ACL. Under that command you will get a submenu and the commands here will be deny or permit then protocol like ip or tcp or udp then the source traffic affected X.X.X.X X.X.X.X then destination X.X.X.X X.X.X.X the first set of Xs is the IP network and the second is the wildcard mask so example would be 192.168.0.0 0.0.255.255 would be anything in the 192.168.0.0 networks. You can also do one IP address by specifying host X.X.X.X and no wildcard mask this would be in place of the IP network and wildcard mask. Another good thing to remember is that the any keyword can be used to mean everything so maybe you want traffic from 192.168.0.0 0.0.255.255 to any destination. With any extended ACL you can specify ports by using with the tcp or udp keyword after the permit or deny then after the source and destination part put eq then the port number.

Here is an example extended ACL:

ip access-list extended test

permit tcp 192.168.0.0 0.0.255.255 any eq 80

deny ip any any log

That ACL named test allowed http traffic from the 192.168.0.0 networks to anywhere on port 80 then the next line denys everything else. You will notice that I used the keyword log which will take any matches to that access list and send to a syslog server if you have one setup.

There are a lot of thing you can play around with here but this will get you started, now as I started the conversation out with you have to be careful with things like FTP when you put ACLs in place because certain services like FTP with jump ports midsession and ACLs can block them. That is why if you are having problems or are serving out content from servers through an ACL a lot of times you need the permit tcp any any established which will let most of this traffic through. This is not the perfect solution, you may still get some stuff blocked and this might let some unwanted traffic through. The better solution is to get a PIX firewall from Cisco. I will not go into the commands on this box in this post but the PIX is able to watch the sessions that go in and out its interfaces and open ports as needed and only needed ports between the two talking host. It does this with a protocol called “fixup protocol” I will go more in detail about this stuff in later posts unless someone comments on a specific question. In summery if you really want to control access in and out of your network a PIX is the right way to do it, a router with ACLs is a temp solution

For those of you who say I can’t put a firewall in-between my segments then there is an IOS firewall solution where the Cisco router runs something called CBAC which can do the same basic inspection as a PIX. More info later.