xchg eax, eax

Networking | 2010-10-13 16:00:32

After browsing my CCNA Security books I noticed that it recommends blocking a large range of ports used for different services on the router and that are insecure on end devices. After compiling them all together, here is a working ACL that can be implemented.

Keep in mind to change the RFC1918 (implemented to conform with RFC2827) blocking depending on the topology and that this may block services that you want running.

remark DENY TCPMUX
deny tcp any any eq 1
deny udp any any eq 1
remark DENY ECHO
deny tcp any any eq 7
deny udp any any eq 7
remark DENY DISCARD
deny tcp any any eq 9
deny udp any any eq 9
remark DENY SYSTAT
deny tcp any any eq 11
remark DENY DAYTIME
deny tcp any any eq 13
deny udp any any eq 13
remark DENY NETSTAT
deny tcp any any eq 15
remark DENY CHARGEN
deny tcp any any eq 19
deny udp any any eq 19
remark DENY TIME
deny tcp any any eq 37
deny udp any any eq 37
remark DENY WHOIS
deny tcp any any eq 43
remark DENY BOOTP
deny udp any any eq 67
remark DENY TFTP-DC OK
deny udp any any eq 69
remark DENY FINGER
deny tcp any any eq 79
remark DENY SUPDUP
deny tcp any any eq 93
remark DENY SUNRPC
deny tcp any any eq 111
deny udp any any eq 111
remark DENY LOC-SRV
deny tcp any any eq 135
deny udp any any eq 135
remark DENY NB-NS
deny tcp any any eq 137
deny udp any any eq 137
remark DENY NB-DGN
deny tcp any any eq 138
deny udp any any eq 138
remark DENY NB-SSN
deny tcp any any eq 139
deny udp any any eq 139
remark DENY SNMP
deny tcp any any eq 161
deny udp any any eq 161
remark DENY SNMP TRAP
deny tcp any any eq 162
deny udp any any eq 162
remark DENY XDMCP
deny udp any any eq 177
remark DENY NETBIOS
deny tcp any any eq 445
remark DENY REXEC
deny tcp any any eq 512
remark DENY RLOGIN WHO
deny udp any any eq 513
remark DENY RSH RCP
deny tcp any any eq 514
remark DENY SYSLOG
deny udp any any eq 514
remark DENY LPR
deny tcp any any eq 515
remark DENY TALK
deny udp any any eq 517
remark DENY NTALK
deny udp any any eq 518
remark DENY UUCP
deny tcp any any eq 540
remark DENY NEW-WHO
deny tcp any any eq 550
deny udp any any eq 550
remark DENY IRC
deny tcp any any eq 667
remark DENY MS UPNP SSDP
deny tcp any any eq 1900
deny udp any any eq 1900
deny tcp any any eq 5000
deny udp any any eq 5000
remark DENY NFS
deny udp any any eq 2049
remark DENY XWINDOW
deny tcp any any range 6000 6063
remark DENY NETBUS
deny tcp any any range 12345 12346
remark DENY BACKORIFICE
deny tcp any any eq 31337
deny udp any any eq 31337
remark PERMIT NEEDED ICMP
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any source-quench
remark DENY UNNEEDED ICMP
deny icmp any any
remark DENY UNROUTABLE ADDRESSES
deny ip any 0.0.0.0 0.255.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 127.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.15.255
deny ip any 192.168.0.0 0.0.255.255
deny ip any 224.0.0.0 15.255.255.255