CompTIA
Exam Vouchers
Save money on CompTIA exams
| Question of the day
Sign up to receive
interactive practice questions
for MCSE, CompTIA
Cisco and other exams
| TestKing
Get MCSE, MCSD, CCNA, CCNP,A+, N+ and many more | * ExamSheets *
Guide for Success!
Actual Questions & Answers
MCSE, MCSD, A+ ,CCNA, CCNP
Oracle 8i, Oracle 9i Online practice tests
Certification sites Online university Online college Online education Distance learning Software forum Server administration forum Programming resources
|
|  |
| Author |
Stopping external ICMP requests.
|
beenframed
Senior Member
Registered: Sep 2000
Location: NYC
Country: USA
State:
Certifications: A+
Working on:
Total Posts: 396
|
|
 Stopping external ICMP requests.
I know how to disable inbound ICMP requests on a firewall but how is that done if there is no firewall in place and I am only using a router?
thanks,
bf-
__________________
BeenFramed
Report this post to a moderator
|
|
 07-23-01 05:35 PM
|
|
dmaftei
Senior Member
M
Registered: Nov 2000
Location:
Country: USA
State:
Certifications: none
Working on: none
Total Posts: 2156
|
|
|
Router(config)#access-list 111 deny icmp any any
Router(config)#access-list 111 permit ip any any
Apply inbound on the interface you want to protect. You can fine tune the "deny icmp" with icmp message types. Try a "?" at the end of the first command. Test it before you put it on your production routers (and keep a console ready  )
Report this post to a moderator
|
|
|
07-23-01 05:48 PM
|
|
depamo
Burning at both ends
M
Registered: Jul 2001
Location: Houston, Texas
Country: United States
State:
Certifications: CCDA, CCNA, CCNP, CISSP, SAP Basis, SCSA
Working on: If I need anymore, I quit.....
Total Posts: 482
|
|
|
Inbound Access List
If you have outside management that needs to use ICMP to track your network for those reasons you would want insure that you get their IP Addresses or the group of addresses that they would come from. Otherwise you would use an Access list applied to the interface that connects to the outside world.
Here is the syntax:
access-list access-list-number {deny | permit} protocol source
source-wildcard destination destination-wildcard [precedence
precedence] [tos tos] [established] [log]
(From global config, first allows you Network Management people through, second keeps the rest from passing ICMP through, lastly pass the rest of the traffic through)
access-list 102 permit icmp <NM IP Network Here> <Matching wild card> 0.0.0.0 255.255.255.255
access-list 102 deny icmp any any
access-list 102 permit any any
goto your external facing interface from global configuration and apply as an inboud filter.
access-group 102 in
pretty simple stuff. Remeber that if you are doing this on your home system, some program will use ping to verify your responsivness, some games and Napster. Also your router will have to process switch traffic to check it against the access lists.
__________________
A Black Hole is God dividing by zero.
Last edited by depamo on 07-23-01 at 06:48 PM
Report this post to a moderator
|
|
|
07-23-01 06:02 PM
|
|
doctorcisco
Senior Member
Registered: Dec 2000
Location: Chicago Burbs
Country: USA
State: IL
Certifications:
Working on: Everything there is
Total Posts: 370
|
|
|
Re: Inbound Access List
quote:
Originally posted by depamo
Remeber that if you are doing this on your home system, some program will use ping to verify your responsivness, some games and Napster. Also your router will have to process switch traffic to check it against the access lists.
Also remember:
1) No internal users (including you, of course) will be able to use ping or traceroute through that interface; the replies will never make it back.
2) Users will never get destination unreachable, source quench, or any other ICMP messages from beyond that interface; this could break some applications and cause other interesting TCP and/or IP issues. (What exactly would happen if you have more bandwidth than an FTP server you're uploading to and source quench messages never got to you from the server? I don't know the answer ....)
3) You are still susceptible to a DOS or DDOS attack; the attacker can flood your link with inbound ICMP traffic even if the router isn't letting it through. I once had an unfirewalled site under DDOS attack, and the attacker filled a T1 with inbound pings even after I put a similar filter in place and the site wasn't answering. I had to have the ISP put a filter on the router interface at the other end to recover use of the link.
Just by the way, the 3 IP addresses this attack came from were all home users with DSL or cable modems; all 3 were hacked and used as platforms by the (unknown) actual attacker. If you have DSL or cable, PLEASE protect your equipment!
FWIW,
doctorcisco
__________________
Silicon ... just fancy sand.
Report this post to a moderator
|
|
|
07-25-01 04:47 PM
|
|
Retired-Mod
Senior Member
Registered: Jun 2001
Location: Washington DC
Country: United States
State:
Certifications:
Working on: Head MuckyMuck
Total Posts: 178
|
|
|
And the reason the Doc's T1 was vulnerable was that the attack was not addressed until it reached his router. This is bad for two reasons. First his T1 is flooded with this traffic and secondly his router (depending on model) has a good chance of being overwhelmed (cpu usage) because it has to process every packet before denying and dropping it with the access-list. This is why it is common practice to alert the ISP and let them handle it up stream from you on their more powerful equipment.
Nice answer Doc and sorry ya got attacked!
Yankee
Report this post to a moderator
|
|
|
07-25-01 10:18 PM
|
|
beenframed
Senior Member
Registered: Sep 2000
Location: NYC
Country: USA
State:
Certifications: A+
Working on:
Total Posts: 396
|
|
|
|
07-26-01 01:38 AM
|
|
depamo
Burning at both ends
M
Registered: Jul 2001
Location: Houston, Texas
Country: United States
State:
Certifications: CCDA, CCNA, CCNP, CISSP, SAP Basis, SCSA
Working on: If I need anymore, I quit.....
Total Posts: 482
|
|
 DSL or cable modem
Protect your home site, putting software on your computer is not enough usually. Remeber if you just use software, they have alreay reached your computer, have gone up the protocol stack to where the software has identified an issue. Anything at Layer 4 or higher in the OSI model is bad news!! Cable and DSL routers are so cheap right now (one months cable bill, $100.00) you would be kidding yourself if you didn't get one. Most you can just put into place and not even have to program it at all. You have services also, they usually have DMZ settings and port forwarding capabilities. You also get the great fun of a full NAT (actually more like a PAT) so you can hook up all your computers on one line. VPN pass through is also a big thing to look for. Don't worry about the 100Mb/s switches on them, remeber that cable modems only run at 10Mb/s!!
Not for everyone but after getting hacked for the upteenth time at home with firewall software on my computer, I had to do something, I haven't been hit lately (over 4 months) since I got the cable router. I do have a web site up and running that I pass SMTP, HTTP, HTTPS, and DNS through to the web server and haven't had a problem yet. Pass ports through to my other computer for using web phone and stuff also.
Good luck and
__________________
A Black Hole is God dividing by zero.
Report this post to a moderator
|
|
|
07-26-01 01:16 PM
|
|
dmaftei
Senior Member
M
Registered: Nov 2000
Location:
Country: USA
State:
Certifications: none
Working on: none
Total Posts: 2156
|
|
|
Re: DSL or cable modem
quote:
Originally posted by depamo
I do have a web site up and running...
Won't share the URL with us?!
Report this post to a moderator
|
|
|
07-26-01 02:07 PM
|
|
depamo
Burning at both ends
M
Registered: Jul 2001
Location: Houston, Texas
Country: United States
State:
Certifications: CCDA, CCNA, CCNP, CISSP, SAP Basis, SCSA
Working on: If I need anymore, I quit.....
Total Posts: 482
|
|
 Not just quick, very quick
I do have my reasons, mostly just hate having to re-load all the software and I been having such good luck lately.
Until I get the firewall configured correctly, would really hate to have a professional level DOS or DDOS from someone for kicks.
There is also some items on it that I would like to remain unseen.
__________________
A Black Hole is God dividing by zero.
Report this post to a moderator
|
|
|
07-27-01 02:42 PM
|
|
|
Click here for CCNP study guides
Cisco exam notes
Forum Rules:
Who Can Read The Forum? Any registered user or guest.
Who Can Post New Topics? Any registered user.
Who Can Post Replies? Any registered user.
Changes: Messages can be edited by their author.
Posts: HTML code is OFF. Smilies are ON. vB code is ON. [IMG] code is ON. |
|
ExamNotes forum archive
|
