Solved

Ingress filtering how to setup?

Posted on 2001-07-03
7
2,221 Views
Last Modified: 2010-10-05
What is the command to configure ingress filtering for Cisco router?

Let say your internal network IP is
131.144.4.0

WAN--se0/0----router----eth0/0--- LAN 131.144.4.0


0
Comment
Question by:bluepet
7 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6253776
It depends on what you are trying to filter.  The "access-list" command will allow you to set both standard and extended access lists on the router.
0
 
LVL 3

Author Comment

by:bluepet
ID: 6254067
Ah I just found out how

ingress filtering is done in all new cisco routers

sh run
...
no ip directed-broadcast
...

for 3Com it's
setd -ip cont=nofwdSubnetBcast
..


engress filtering on the other hand is as follow

# config t
config# access-list extended permit ip 131.144.4.0 0.0.0.255 any

config# access-list extended deny ip any any
then configure for access group at interface eth0

config# int eth0
config if# ip access-group 100 in

:)

I however still have no idea about how to do engress filtering for 3com...

can someone help here..









0
 
LVL 79

Accepted Solution

by:
lrmoore earned 34 total points
ID: 6255374
I don't think that "no ip directed broadcase" on your interface qualifies as an ingress filter. It is outgoing only. Ingress filters can only be applied through access-lists. Your example of an access list applied is incorrect.
Here are some good examples for Cisco of ingress filters (keeping the bad stuff out):

http://www.pasadena.net/cisco/secure.html

http://www.sans.org/infosecFAQ/firewall/blocking_cisco.htm





0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Assisted Solution

by:svindler
svindler earned 33 total points
ID: 6316566
lrmoore's links looks good. You really should read them through.
Here are some more:
http://www.cisco.com/warp/public/707/21.html
http://www.insecure.org/news/P55-10.txt

To sum it up, you make an access-list that deny all private addresses and your own addresses to originate from the internet. Then you apply this access-list as inbound on the interface closest to the internet.

A basic ingress filter, that only guards against spoofed packets, can be made using a standard access-list:

router(config)#access-list 11 deny 111.111.111.0 0.0.0.255 (or whatever your public ip range is)
router(config)#access-list 11 deny 10.0.0.0 0.255.255.255
router(config)#access-list 11 deny 127.0.0.0 0.255.255.255
router(config)#access-list 11 deny 172.16.0.0 0.15.255.255
router(config)#access-list 11 deny 192.168.0.0 0.0.255.255
router(config)#access-list 11 deny 224.0.0.0 15.255.255.255
router(config)#access-list 11 deny host 0.0.0.0
router(config)#int s0/0 (or whatever your external interface is)
router(config-if)# ip access group 11 in
0
 
LVL 4

Expert Comment

by:svindler
ID: 6316576
Oops, just noticed that you actually had provided the external interface and the public ip addresses. The example should then read:
router(config)#access-list 11 deny 131.144.4.0 0.0.0.255 (assuming a class C network)
router(config)#access-list 11 deny 10.0.0.0 0.255.255.255
router(config)#access-list 11 deny 127.0.0.0 0.255.255.255
router(config)#access-list 11 deny 172.16.0.0 0.15.255.255
router(config)#access-list 11 deny 192.168.0.0 0.0.255.255
router(config)#access-list 11 deny 224.0.0.0 15.255.255.255
router(config)#access-list 11 deny host 0.0.0.0
router(config)#int s0/0
router(config-if)# ip access group 11 in
0
 
LVL 4

Assisted Solution

by:jwalsh88
jwalsh88 earned 33 total points
ID: 6372021
svindler,

you forgot one line
router(config)#access-list 11 permit any

bluepet, that should be the last access-list entry.
otherwise svindler's access-list would block all inbound traffic, from the internet, with the implied deny any rule.


0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9706103
Hey people,

No comment has been added in roughly 2 years, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts split between Irmoore, svindler and jwalsh88.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now