! Illuzion's Access List - If you must deny by exception... ! ! ! To use this entire access list, without serious performance degradation, you need ! Turbo ACL support, which is available on 7000/12000 series routers with IOS 12.1 ! or later. To enable turbo access lists on a router, use the configuration mode command: ! "access-list compiled". Once this facility is enabled, IOS will automatically compile ! all suitable access lists into fast lookup tables, while preserving their matching ! semantics. Once you have enabled turbo access lists, you can view statistics about ! them using the command: "show access-list compiled". ! ! ! Beginning of access-list 101 ! ! For external interface of external router ! Apply to incoming traffic ! ! Based on NSA Router Security Configuration Guide ! ! ! access-list 101 deny icmp any any ! icmp (ping) access-list 101 deny tcp any any eq 1 ! tcpmux access-list 101 deny udp any any eq 1 ! tcpmux access-list 101 deny tcp any any eq 7 ! echo access-list 101 deny udp any any eq 7 ! echo access-list 101 deny tcp any any eq 9 ! discard access-list 101 deny udp any any eq 9 ! discard access-list 101 deny tcp any any eq 9 ! systat access-list 101 deny tcp any any eq 13 ! daytime access-list 101 deny udp any any eq 13 ! daytime access-list 101 deny tcp any any eq 15 ! netstat access-list 101 deny tcp any any eq 19 ! chargen access-list 101 deny udp any any eq 19 ! chargen access-list 101 deny tcp any any range 20 21 ! ftp-data, ftp access-list 101 deny tcp any any eq 23 ! telnet access-list 101 deny tcp any any eq 37 ! time access-list 101 deny udp any any eq 37 ! time access-list 101 deny tcp any any eq 43 ! whois access-list 101 deny tcp any any eq 53 ! Domain Name System access-list 101 deny udp any any eq 67 ! bootps access-list 101 deny udp any any eq 69 ! tftp access-list 101 deny tcp any any eq 70 ! gopher access-list 101 deny tcp any any eq 79 ! finger access-list 101 deny udp any any eq 79 ! finger access-list 101 deny tcp any any eq 93 ! supdup access-list 101 deny tcp any any range 102 104 ! ISO, X.400, ITOT (May affect DMS) access-list 101 deny tcp any any range 109 110 ! Post Office Protocol 2/3 (May affect DMS) access-list 101 deny tcp any any eq 111 ! sunrpc access-list 101 deny udp any any eq 111 ! sunrpc access-list 101 deny tcp any any eq 119 ! Network News Protocol access-list 101 deny udp any any eq 123 ! Network Time Protocol (May affect DMS) access-list 101 deny tcp any any eq 135 ! loc-srv access-list 101 deny udp any any eq 135 ! loc-srv access-list 101 deny tcp any any range 137 139 ! NetBIOS Functions access-list 101 deny udp any any range 137 139 ! NetBIOS Functions access-list 101 deny udp any any eq 177 ! xdmcp access-list 101 deny tcp any any eq 445 ! netbios access-list 101 deny tcp any any range 512 514 ! Remote login access-list 101 deny tcp any any eq 515 ! lpr (Spooler) access-list 101 deny udp any any eq 517 ! talk access-list 101 deny udp any any range talk 518 ! ntalk access-list 101 deny tcp any any eq 540 ! uucp access-list 101 deny tcp any any eq 550 ! new who access-list 101 deny udp any any eq 550 ! new who access-list 101 deny tcp any any eq 1352 ! LOTUS Note access-list 101 deny tcp any any eq 1525 ! Oracle access-list 101 deny udp any any eq 1525 ! Oracle access-list 101 deny tcp any any eq 1900 ! Microsoft UPnP SSDP access-list 101 deny udp any any eq 1900 ! Microsoft UPnP SSDP access-list 101 deny udp any any eq 2049 ! nfs access-list 101 deny tcp any any eq 5000 ! Microsoft UPnP SSDP access-list 101 deny udp any any eq 5000 ! Microsoft UPnP SSDP access-list 101 deny tcp any any eq 2222 ! Subseven DDoS system and variants access-list 101 deny tcp any any eq 6669 ! Subseven DDoS system and variants access-list 101 deny tcp any any range 6711 6712 ! Subseven DDoS system and variants access-list 101 deny tcp any any eq 6776 ! Subseven DDoS system and variants access-list 101 deny tcp any any eq 7000 ! Subseven DDoS system and variants access-list 101 deny tcp any any range 6000 6063 ! X Window System access-list 101 deny tcp any any eq 6667 ! IRC access-list 101 deny tcp any any eq 12345 ! NetBus access-list 101 deny tcp any any eq 12346 ! NetBus access-list 101 deny udp any any eq 27444 ! TRIN00 DDoS systems access-list 101 deny tcp any any eq 27665 ! TRIN00 DDoS systems access-list 101 deny udp any any eq 31335 ! TRIN00 DDoS systems access-list 101 deny tcp any any eq 31337 ! Back Orifice access-list 101 deny udp any any eq 31337 ! Back Orifice access-list 101 deny tcp any any eq 33270 ! TrinityV3 system access-list 101 deny tcp any any eq 39168 ! TrinityV3 system access-list 101 deny tcp any any eq 16660 ! Stacheldraht DDoS system access-list 101 deny tcp any any eq 65000 ! Stacheldraht DDoS system ! ! ! RFC 1918, localhost, broadcast, multicast, IP-less: ! access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 255.0.0.0 0.255.255.255 any access-list 101 deny ip 224.0.0.0 7.255.255.255 any access-list 101 deny ip host 0.0.0.0 any ! ! ! ! Virus/worm/trojan/attack blocks ! ! access-list 101 deny tcp any any eq 31 ! Agent 31, Hacker's Paradise ! access-list 101 deny tcp any any eq 41 ! Deep Throat ! access-list 101 deny tcp any any eq 90 ! Hidden Port 2.o ! access-list 101 deny tcp any any eq 113 ! Kazimas [ident] ! access-list 101 deny tcp any any eq 121 ! Jammer Killah ! access-list 101 deny tcp any any eq 129 ! Password Generator Protocol ! access-list 101 deny tcp any any eq 146 ! Infector 1.3 ! access-list 101 deny tcp any any eq 421 ! Tcp Wrappers ! access-list 101 deny udp any any eq 445 ! DCOM RPC (MSBlast Virus) ! access-list 101 deny tcp any any eq 456 ! Hacker's Paradise ! access-list 101 deny tcp any any eq 531 ! Rasmin [conference, rvd-control] ! access-list 101 deny tcp any any eq 555 ! Stealth Spy, Phaze, 7-11 Trojan ! access-list 101 deny tcp any any eq 559 ! Backdoor.Domwis ! access-list 101 deny tcp any any eq 593 ! WebDav (W32/Welchia Virus) ! access-list 101 deny tcp any any eq 666 ! Attack FTP ! access-list 101 deny udp any any eq 666 ! N0kN0k Trojan ! access-list 101 deny tcp any any eq 707 ! WebDav (W32/Welchia Virus) ! access-list 101 deny udp any any eq 707 ! WebDav (W32/Welchia Virus) [acctdisk] ! access-list 101 deny tcp any any eq 777 ! AIM Spy Application ! access-list 101 deny tcp any any eq 901 ! Backdoor.Devil ! access-list 101 deny tcp any any eq 902 ! Backdoor.Devil ! access-list 101 deny tcp any any eq 911 ! Dark Shadow ! access-list 101 deny udp any any range 990 998 ! W32/Sobug.F Virus ! access-list 101 deny tcp any any eq 999 ! Deep Throat ! access-list 101 deny tcp any any eq 1000 ! Der Spaeher ! access-list 101 deny tcp any any eq 1001 ! Silencer, WebEx ! access-list 101 deny tcp any any eq 1011 ! Doly Trojan ! access-list 101 deny tcp any any eq 1012 ! Doly Trojan ! access-list 101 deny tcp any any eq 1015 ! Doly Trojan ! access-list 101 deny tcp any any eq 1024 ! NetSpy ! access-list 101 deny udp any any eq 1025 ! Mavericks's Matrix ! access-list 101 deny tcp any any eq 1033 ! NetSpy ! access-list 101 deny tcp any any eq 1034 ! Backdoor.Systec ! access-list 101 deny tcp any any eq 1042 ! Bla ! access-list 101 deny tcp any any eq 1045 ! Rasmin ! access-list 101 deny tcp any any eq 1111 ! Backdoor.Aimvision ! access-list 101 deny tcp any any eq 1218 ! Backdoor.Sazo ! access-list 101 deny tcp any any eq 1234 ! Ultors Trojan ! access-list 101 deny tcp any any eq 1243 ! Sub Seven ! access-list 101 deny tcp any any eq 1245 ! VooDoo Doll ! access-list 101 deny tcp any any eq 1269 ! Maverick's Matrix ! access-list 101 deny udp any any eq 1349 ! BackOrifice DLL Comm ! access-list 101 deny tcp any any eq 1394 ! GoFriller, Backdoor G-1 ! access-list 101 deny tcp any any eq 1492 ! FTP99CMP ! access-list 101 deny tcp any any eq 1505 ! FunkProxy ! access-list 101 deny tcp any any eq 1509 ! Psyber Streaming server ! access-list 101 deny tcp any any eq 1533 ! Backdoor.Miffice ! access-list 101 deny tcp any any eq 1600 ! Shivka-Burka ! access-list 101 deny tcp any any eq 1604 ! ICA Browser ! access-list 101 deny tcp any any eq 1772 ! Backdoor.NetControle ! access-list 101 deny tcp any any eq 1807 ! SpySender ! access-list 101 deny tcp any any eq 1981 ! Shockrave ! access-list 101 deny tcp any any eq 1999 ! Backdoor ! access-list 101 deny tcp any any eq 2000 ! Backdoor.Fearic ! access-list 101 deny tcp any any eq 2001 ! Trojan Cow ! access-list 101 deny tcp any any range 2002 2005 ! Transcout ! access-list 101 deny tcp any any eq 2023 ! Ripper ! access-list 101 deny tcp any any eq 2090 ! Backdoor.Expjan ! access-list 101 deny tcp any any eq 2115 ! Bugs ! access-list 101 deny tcp any any eq 2140 ! Deep Throat ! access-list 101 deny udp any any eq 2140 ! Deep Throat ! access-list 101 deny tcp any any eq 2155 ! Illusion Mailer ! access-list 101 deny tcp any any eq 2283 ! Dumaru.Y ! access-list 101 deny tcp any any eq 2414 ! vbs.shania ! access-list 101 deny tcp any any eq 2565 ! Striker ! access-list 101 deny tcp any any eq 2583 ! WinCrash ! access-list 101 deny tcp any any eq 2716 ! The Prayer ! access-list 101 deny tcp any any eq 2721 ! Phase Zero ! access-list 101 deny tcp any any eq 2766 ! W32.hllw.deadhat ! access-list 101 deny tcp any any eq 2801 ! Phineas Phucker ! access-list 101 deny udp any any eq 2989 ! Rat ! access-list 101 deny tcp any any eq 3024 ! WinCrash ! access-list 101 deny tcp any any eq 3028 ! Ring Zero ! access-list 101 deny tcp any any range 3127 3198 ! MyDoom.B@mm ! access-list 101 deny udp any any eq 3150 ! Deep Throat ! access-list 101 deny tcp any any eq 3256 ! W32.HLLW.Dax ! access-list 101 deny tcp any any eq 3332 ! Q0 Backdoor ! access-list 101 deny tcp any any eq 3737 ! Backdoor.helios ! access-list 101 deny tcp any any eq 3410 ! OptixPro.13B ! access-list 101 deny tcp any any eq 3456 ! Backdoor.Fearic ! access-list 101 deny udp any any eq 3456 ! Backdoor.Fearic ! access-list 101 deny tcp any any eq 3459 ! Eclipse 2000 ! access-list 101 deny tcp any any eq 3547 ! Backdoor.Amitis.B ! access-list 101 deny tcp any any eq 3700 ! Portal of Doom ! access-list 101 deny tcp any any eq 3791 ! Eclypse ! access-list 101 deny udp any any eq 3801 ! Eclypse ! access-list 101 deny tcp any any eq 4001 ! Backdoor.OptixPro.13.C ! access-list 101 deny tcp any any eq 4092 ! WinCrash ! access-list 101 deny tcp any any eq 4128 ! Backdoor.rcserv ! access-list 101 deny tcp any any eq 4300 ! Backdoor.smokodoor ! access-list 101 deny tcp any any eq 4444 ! DCOM RPC (MSBlast Virus) ! access-list 101 deny tcp any any eq 4567 ! File Nail ! access-list 101 deny tcp any any eq 4590 ! ICQ Trojan ! access-list 101 deny tcp any any eq 4820 ! Backdoor.tuxder ! access-list 101 deny tcp any any eq 5001 ! Sokets de Trois ! access-list 101 deny tcp any any eq 5011 ! Ootlt ! access-list 101 deny tcp any any range 5031 5032 ! Net Metropolitan ! access-list 101 deny tcp any any eq 5190 ! W32.hllw.anig (ICQ/AIM) ! access-list 101 deny tcp any any eq 5321 ! Firehotcker ! access-list 101 deny tcp any any range 5400 5402 ! Blade Runner ! access-list 101 deny tcp any any range 5418 5419 ! Backdoor.DarkSky.B ! access-list 101 deny udp any any eq 5503 ! Remote Shell Trojan ! access-list 101 deny tcp any any eq 5152 ! Backdoor.laphex.client ! access-list 101 deny tcp any any eq 5521 ! Illusion Mailer ! access-list 101 deny tcp any any eq 5550 ! Xtcp ! access-list 101 deny tcp any any eq 5512 ! Xtcp ! access-list 101 deny tcp any any eq 5553 ! Backdoor.Xlog ! access-list 101 deny tcp any any eq 5555 ! Backdoor.Sysbug, Backdoor.OptixPro [mtb] ! access-list 101 deny tcp any any range 5556 5557 ! BO Facil ! access-list 101 deny tcp any any eq 5558 ! Backdoor.Easyserv ! access-list 101 deny tcp any any eq 5588 ! Backdoor.EasyServ ! access-list 101 deny tcp any any eq 5569 ! Robo-Hack ! access-list 101 deny tcp any any range 5637 5638 ! PC Crasher ! access-list 101 deny tcp any any eq 5714 ! WinCrash ! access-list 101 deny tcp any any range 5741 5742 ! WinCrash ! access-list 101 deny tcp any any eq 6129 ! DameWare Buffer overflow exploit ! access-list 101 deny udp any any eq 6129 ! DameWare Buffer overflow exploit ! access-list 101 deny tcp any any eq 6400 ! The Thing ! access-list 101 deny tcp any any eq 6669 ! Sub-7 ! access-list 101 deny tcp any any range 6670 6671 ! Deep Throat ! access-list 101 deny tcp any any range 6711 6713 ! Sub Seven ! access-list 101 deny tcp any any eq 6723 ! Mstream attack-handler ! access-list 101 deny tcp any any eq 6771 ! Deep Throat ! access-list 101 deny tcp any any eq 6777 ! W32/Bagle@MM ! access-list 101 deny udp any any eq 6838 ! Mstream Agent-handler ! access-list 101 deny tcp any any eq 6912 ! Sh*t Heap ! access-list 101 deny tcp any any eq 6939 ! Indoctrination ! access-list 101 deny tcp any any eq 6969 ! Backdoor.Sparta.B ! access-list 101 deny tcp any any eq 6970 ! Gate Crasher ! access-list 101 deny tcp any any eq 7028 ! Unknown Trojan ! access-list 101 deny udp any any eq 7028 ! Unknown Trojan ! access-list 101 deny tcp any any range 7300 7301 ! Net Monitor ! access-list 101 deny tcp any any range 7306 7308 ! Net Monitor ! access-list 101 deny tcp any any eq 7410 ! Backdoor.phoenix ! access-list 101 deny tcp any any eq 7597 ! QaZ ! access-list 101 deny tcp any any eq 7614 ! Backdoor.GRM ! access-list 101 deny tcp any any eq 7789 ! ICKiller ! access-list 101 deny tcp any any eq 7823 ! Backdoor.Amitis.B ! access-list 101 deny udp any any eq 7983 ! Mstream handler-agent ! access-list 101 deny tcp any any eq 8012 ! Backdoor.Ptakks.b ! access-list 101 deny tcp any any eq 8090 ! Backdoor.Asniffer ! access-list 101 deny tcp any any eq 8787 ! Back Orifice 2000 ! access-list 101 deny tcp any any eq 8787 ! Back Orifice 2000 ! access-list 101 deny tcp any any eq 8811 ! Backdoor.Monator ! access-list 101 deny tcp any any eq 8879 ! Back Orifice 2000 ! access-list 101 deny tcp any any eq 8879 ! Back Orifice 2000 ! access-list 101 deny tcp any any range 8888 8889 ! W32.Axatak ! access-list 101 deny udp any any eq 8998 ! W32/Sobug.F Virus ! access-list 101 deny udp any any eq 9325 ! MStream Agent-handler ! access-list 101 deny tcp any any eq 9400 ! InCommand ! access-list 101 deny tcp any any eq 9696 ! Backdoor.gholame ! access-list 101 deny tcp any any eq 9697 ! Backdoor.gholame ! access-list 101 deny tcp any any range 9872 9875 ! Portal of Doom ! access-list 101 deny tcp any any eq 9876 ! Cyber Attacker ! access-list 101 deny tcp any any eq 9878 ! Transcout ! access-list 101 deny tcp any any eq 9989 ! iNi-Killer ! access-list 101 deny tcp any any eq 9999 ! The prayer ! access-list 101 deny tcp any any eq 10000 ! W32.dumaru.ad [bnews] ! access-list 101 deny tcp any any range 10001 10002 ! Backdoor.Zdemon.126 [queue, poker] ! access-list 101 deny tcp any any eq 10008 ! Cheese worm ! access-list 101 deny tcp any any eq 10067 ! Portal of Doom ! access-list 101 deny udp any any eq 10067 ! Portal of Doom ! access-list 101 deny tcp any any eq 10080 ! Mydoom.B ! access-list 101 deny tcp any any eq 10167 ! Portal of Doom ! access-list 101 deny udp any any eq 10167 ! Portal of Doom ! access-list 101 deny udp any any eq 10498 ! Mstream handler-agent ! access-list 101 deny tcp any any eq 10520 ! Acid Shivers ! access-list 101 deny tcp any any eq 10607 ! Coma ! access-list 101 deny tcp any any eq 10666 ! Ambush ! access-list 101 deny tcp any any eq 11000 ! Senna Spy ! access-list 101 deny tcp any any eq 11050 ! Host Control ! access-list 101 deny tcp any any eq 11223 ! Progenic Trojan ! access-list 101 deny tcp any any eq 11831 ! Latinus Server ! access-list 101 deny tcp any any eq 12000 ! Backdoor.Satancrew ! access-list 101 deny tcp any any eq 12076 ! GJamer ! access-list 101 deny tcp any any eq 12223 ! Hack'99, Keylogger ! access-list 101 deny tcp any any eq 12456 ! Netbus ! access-list 101 deny tcp any any range 12361 12362 ! Whack-a-Mole ! access-list 101 deny tcp any any eq 12631 ! Whack Job ! access-list 101 deny tcp any any eq 12701 ! Eclypse 2000 ! access-list 101 deny tcp any any eq 12754 ! Mstream attack-handler ! access-list 101 deny tcp any any eq 13000 ! Senna Spy ! access-list 101 deny tcp any any eq 13173 ! Backdoor.Amitis.B ! access-list 101 deny tcp any any eq 13700 ! Kuang2 ! access-list 101 deny tcp any any eq 15104 ! Mstream attack-handler ! access-list 101 deny tcp any any eq 15432 ! Backdoor.Cyn ! access-list 101 deny tcp any any eq 16322 ! Backdoor.Lastdoor ! access-list 101 deny tcp any any eq 16484 ! Mosucker ! access-list 101 deny tcp any any eq 16959 ! Sub Seven ! access-list 101 deny tcp any any eq 16969 ! Priority ! access-list 101 deny tcp any any eq 17300 ! Kuang2 ! access-list 101 deny udp any any eq 18753 ! Shaft handler to agent ! access-list 101 deny tcp any any eq 19937 ! Backdoor.Gaster ! access-list 101 deny tcp any any range 20000 20001 ! Millenium ! access-list 101 deny tcp any any eq 20034 ! Netbus 2 Pro ! access-list 101 deny tcp any any eq 20203 ! Logged! ! access-list 101 deny tcp any any eq 20331 ! Bla ! access-list 101 deny tcp any any range 20432 20433 ! Shaft Agent to handlers ! access-list 101 deny tcp any any eq 20480 ! Trojan.Adnap ! access-list 101 deny tcp any any eq 21554 ! Girlfriend ! access-list 101 deny udp any any eq 21554 ! Girlfriend ! access-list 101 deny tcp any any eq 22222 ! Prosiak ! access-list 101 deny tcp any any eq 22784 ! Backdoor-ADM ! access-list 101 deny tcp any any range 23005 23006 ! W32.hllw.nettrash ! access-list 101 deny tcp any any eq 23435 ! Trojan.Framar ! access-list 101 deny tcp any any range 23476 23477 ! Donald Dick ! access-list 101 deny tcp any any eq 26274 ! Delta Source ! access-list 101 deny udp any any eq 26274 ! Delta Source ! access-list 101 deny udp any any eq 27374 ! Sub-7 ! access-list 101 deny tcp any any eq 27379 ! Backdoor.optix.04 ! access-list 101 deny tcp any any eq 27573 ! Sub-7 ! access-list 101 deny udp any any eq 27573 ! Sub-7 ! access-list 101 deny tcp any any eq 29292 ! Backdoor.NTHack ! access-list 101 deny tcp any any eq 29559 ! Latinus Server ! access-list 101 deny tcp any any eq 29891 ! The Unexplained ! access-list 101 deny tcp any any eq 29999 ! Backdoor.Antilam.20 ! access-list 101 deny tcp any any eq 30029 ! AOL Trojan ! access-list 101 deny tcp any any range 30100 30102 ! NetSphere ! access-list 101 deny tcp any any eq 30133 ! NetSphere Final ! access-list 101 deny tcp any any eq 30303 ! Sockets de Troie ! access-list 101 deny tcp any any eq 30999 ! Kuang2 ! access-list 101 deny tcp any any eq 31336 ! BO-Whack ! access-list 101 deny udp any any eq 31338 ! NetSpy DK ! access-list 101 deny tcp any any eq 31339 ! Deep BO ! access-list 101 deny tcp any any eq 31666 ! NetSpy DK ! access-list 101 deny tcp any any eq 31785 ! BOWhack ! access-list 101 deny udp any any eq 31787 ! Hack'a'Tack ! access-list 101 deny udp any any range 31789 31791 ! Hack'a'Tack ! access-list 101 deny tcp any any eq 32418 ! Acid Battery ! access-list 101 deny tcp any any eq 33333 ! Prosiak ! access-list 101 deny udp any any eq 33390 ! Unknown trojan ! access-list 101 deny tcp any any eq 33911 ! Spirit 2001 a ! access-list 101 deny tcp any any eq 34324 ! BigGluck ! access-list 101 deny tcp any any eq 37651 ! Yet Another Trojan ! access-list 101 deny tcp any any eq 39999 ! TrojanProxy.Win32.Mitglieder ! access-list 101 deny tcp any any eq 40412 ! The Spy ! access-list 101 deny tcp any any range 40421 40423 ! Master's Paradise ! access-list 101 deny tcp any any range 40425 40426 ! Master's Paradise ! access-list 101 deny tcp any any eq 43210 ! Master's Paradise ! access-list 101 deny tcp any any eq 44280 ! Backdoor.Amitis.B ! access-list 101 deny tcp any any eq 44390 ! Backdoor.Amitis.B ! access-list 101 deny tcp any any eq 47252 ! Delta Source ! access-list 101 deny udp any any eq 47262 ! Delta Source ! access-list 101 deny tcp any any eq 47387 ! Backdoor.Amitis.B ! access-list 101 deny tcp any any eq 47891 ! Backdoor.antilam.20 ! access-list 101 deny udp any any eq 49301 ! OnLine keyLogger ! access-list 101 deny tcp any any eq 50505 ! Sokets de Trois ! access-list 101 deny tcp any any eq 50776 ! Fore ! access-list 101 deny tcp any any eq 51234 ! Backdoor.Cyn ! access-list 101 deny tcp any any eq 53001 ! Remote Windows Shutdown ! access-list 101 deny tcp any any eq 54320 ! Back Orifice 2000 ! access-list 101 deny udp any any eq 54320 ! Back Orifice ! access-list 101 deny tcp any any eq 54321 ! School Bus, Back Orifice ! access-list 101 deny udp any any eq 54321 ! Back Orifice 2000 ! access-list 101 deny tcp any any eq 56565 ! Backdoor.Osirdoor ! access-list 101 deny tcp any any eq 57341 ! NetRaider.Trojan ! access-list 101 deny udp any any eq 57341 ! NetRaider.Trojan ! access-list 101 deny tcp any any range 58008 58009 ! Backdoor.Tron ! access-list 101 deny tcp any any eq 58666 ! Backdoor.Redkod ! access-list 101 deny tcp any any eq 59211 ! Backdoor.Ducktoy ! access-list 101 deny tcp any any eq 60000 ! Deep Throat ! access-list 101 deny tcp any any eq 61000 ! Backdoor.mite ! access-list 101 deny tcp any any eq 61466 ! Telecommando ! access-list 101 deny tcp any any eq 61348 ! Bunker-Hill Trojan ! access-list 101 deny tcp any any eq 61603 ! Bunker-Hill Trojan ! access-list 101 deny tcp any any eq 63485 ! Bunker-Hill Trojan ! access-list 101 deny tcp any any eq 63809 ! W32.hllw.gaobot.dk ! access-list 101 deny tcp any any eq 64429 ! Backdoor.Amitis.B ! access-list 101 deny tcp any any eq 65535 ! Adore Worm ! ! ! Network Specific ! ! Prevent spoofing. Deny incoming packets that have our internal network address: ! ! access-list 101 deny ip ###.###.###.0 0.0.0.255 any log ! ! More spoofing prevention. Insert ip of external router interface ip address: ! ! access-list 101 deny ip host ###.###.###.### any log ! ! Anti-Smurf Attack ! ! The Smurf Attack involves sending a large amount of ICMP Echo packets to a ! subnet's broadcast address with a spoofed source IP address from that subnet. ! ! access-list 101 deny ip any host ###.###.###.255 ! access-list 101 deny ip any host ###.###.###.0 ! ! Allow only ACKed tcp packets to our network: ! ! access-list 101 permit tcp any ###.###.###.0 0.0.0.255 gt 1023 established ! ! Allow smtp traffic to mail servers only: ! ! access-list 101 permit tcp any host ###.###.###.### eq smtp ! access-list 101 permit tcp any host ###.###.###.### eq smtp ! ! Allow incoming dns traffic to name servers only: ! Note: Probably best to limit tcp domain traffic to specific servers. ! ! access-list 101 permit tcp any host ###.###.###.### eq domain log ! access-list 101 permit tcp any host ###.###.###.### eq domain log ! access-list 101 permit udp any host ###.###.###.### eq domain ! access-list 101 permit udp any host ###.###.###.### eq domain ! ! Allow ntp to time server: ! See: http://www.eecis.udel.edu/~ntp/ ! ! access-list 101 permit udp any eq 123 host ###.###.###.### eq 123 ! ! Allow incoming news traffic to nntp server only: ! ! access-list 101 permit tcp any host ###.###.###.### eq nntp ! ! For ftp clients: ! Not very secure. The alternative is to remove this and ! force clients into passive mode. ! ! access-list 101 permit tcp any eq 20 ###.###.###.0 0.0.0.255 gt 1023 ! ! ! ***Allow all other traffic*** ! access-list 101 permit ip any any ! ! End of access-list 101 ! ! ! ! ! Add to router: ! ! ! Unsafe defaults ! ! no service tcp-small-services ! no service udp-small-services ! no service finger ! no service pad ! no service config ! no ip identd ! no ip bootp server ! no ip http server ! ! Broadcast forwards ! ! no ip forward-protocol port 69 ! no ip forward-protocol port 53 ! no ip forward-protocol port 37 ! no ip forward-protocol port 137 ! no ip forward-protocol port 138 ! no ip forward-protocol port 67 ! no ip forward-protocol port 68 ! no ip forward-protocol port 49 ! no ip forward-protocol port 42 ! ! DoS Hardening (Optimized for heavy loading) ! ! service nagle ! ip tcp synwait-time 10 ! scheduler interval 500 ! ! ! Add to external interface of screening router: ! ! ! DoS Hardening ! ! no ip directed-broadcast ! no ip mask-reply ! no ip proxy-arp ! no ip redirects ! no ip unreachables