|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Land Protection for Cisco
On Fri, 21 Nov 1997, Ken Harris wrote: > snippet from bugtraq: > ---- > hi. > Here is a simple protection against the land stuff for the cisco's. It's a > extended ip access list that should be put on all the intefaces on the > box. > > Extended IP Access list 105 > deny tcp host 111.111.111.111 host 111.111.111.111 > permit ip any any > where 111.111.111.111 is the interface's ip address. This should be put > as > an input access-group. > Or if you don't get it here's what to type on your cisco's console. > rtr#config terminal > rtr(config)#access-list 105 deny tcp 111.111.111.111 0.0.0.0 > 111.111.111.111 0.0.0.0 > rtr(config)#access-list 105 permit ip any any > rtr(config)#interface ethernet 0 > rtr(config)#ip access-group 105 in > rtr(config)#exit > rtr(config)#interface serial 0 > rtr(config)#ip access-group 105 in > and so on for the rest of the interfaces... Replace 105 with a free > extended access-list number. > I have tested it on our cisco 2511 and it works just ok. Has anyone tried it sourced and destined for different interfaces on the same box? My test gear is all tied up right now, and I'd rather not test on a production box. Thanks, Paul ------------------------------------------------------------------------- Paul D. Robertson [email protected]
|