HostedDB - Dedicated UNIX Servers
index_188
Router Security Configuration Guide UNCLASSIFIED 188 UNCLASSIFIED Version 1.0g Step 3. Set up an Outbound Access List   Before CBAC can do its work, there must be an access list applied to traffic from the trusted net to the untrusted net.  This access list must permit the protocols on the desired services list.  Also, this access list must be an extended IP access list. The source address for each rule in the access list should be a network address or address range valid for the trusted network; the destination address can be the catch-all any. For more information about access lists, see Section 4.3. The example below shows an access list for our desired services list.  In this example, the access list is applied to the outside interface, in the outbound direction; in general, this is a safe choice. South(config)# ! Create the access list South(config)# no access-list 110 South(config)# ip access-list extended 110 South(config-ext-nacl)# permit icmp 14.2.10.0 0.0.0.255 any South(config-ext-nacl)# permit udp 14.2.10.0 0.0.0.255 any eq ntp South(config-ext-nacl)# permit udp 14.2.10.0 0.0.0.255 any eq domain South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 any eq www South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 any eq ftp South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 any eq telnet South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 host 14.2.9.3 eq smtp South(config-ext-nacl)# permit tcp 14.2.10.0 0.0.0.255 host 14.2.9.3 eq pop3 South(config-ext-nacl)# deny ip any any South(config-ext-nacl)# exit South(config)# ! Apply the access list to the outside interface South(config)# interface eth 0/0 South(config-if)# ip access-group 110 out South(config-if)# exit South(config)#   Step 4. Set up an Inbound Access List CBAC works by modifying inbound access lists: it can work with an access list applied to the interface on the trusted or untrusted networks, or even both.   An inbound access list intended for use with a simple CBAC firewall scheme should block all TCP and UDP services, even those on the desired servic es list.    The example access list below blocks TCP and UDP traffic effectively, permits a modest set of useful ICMP messages, and permits the RIP routing protocol (see Section 4.3). South(config)# ! create inbound access list for CBAC to work on South(config)# no access-list 111 South(config)# ip access-list extended 111 South(config-ext-nacl)# permit icmp any any echo-reply