tshi5791
asked on
access-list to block ip spoof
I have a PIX firewall that is connected to the Internet (without router). I am seeing a lot of deny ip spood from 127.0.0.1 on my syslog. I know that you can implement some access-list on the router to fight ip spoof but I tried the same command in my pix without success. what are the rights command on the pix to fight ip spoof?
ASKER
Hi td_miles
Though I am getting this message from my syslog:
"2003-12-01 08:28:22 User.Critical 194.10.1.110 Dec 01 2003 09:31:49: %PIX-2-106016: Deny IP spoof from (127.0.0.1) to 216.75.X.X on interface outside",
when I look at my firewall log, I don't the number of count.
Below is a part of my access-list.
access-list 104 deny ip 0.0.0.0 0.255.255.255 any log
access-list 104 deny ip 127.0.0.0 255.255.255.0 any log
access-list 104 deny ip 172.16.0.0 255.255.0.0 any log
access-list 104 deny ip 192.168.0.0 255.255.0.0 any log
access-list 104 deny ip 224.0.0.0 255.255.255.0 any log
access-list 104 deny ip 192.0.0.0 255.255.255.0 any log
access-list 104 deny ip host 127.0.0.1 any log
This acce
Though I am getting this message from my syslog:
"2003-12-01 08:28:22 User.Critical 194.10.1.110 Dec 01 2003 09:31:49: %PIX-2-106016: Deny IP spoof from (127.0.0.1) to 216.75.X.X on interface outside",
when I look at my firewall log, I don't the number of count.
Below is a part of my access-list.
access-list 104 deny ip 0.0.0.0 0.255.255.255 any log
access-list 104 deny ip 127.0.0.0 255.255.255.0 any log
access-list 104 deny ip 172.16.0.0 255.255.0.0 any log
access-list 104 deny ip 192.168.0.0 255.255.0.0 any log
access-list 104 deny ip 224.0.0.0 255.255.255.0 any log
access-list 104 deny ip 192.0.0.0 255.255.255.0 any log
access-list 104 deny ip host 127.0.0.1 any log
This acce
Is access-list 104 applied to the outside interface ?
from the PIX, use the command "sho access-list 104" and see if it is matching your deny statements for 127.0.0.0/24 by the number of time is has matched this line of the ACL.
from the PIX, use the command "sho access-list 104" and see if it is matching your deny statements for 127.0.0.0/24 by the number of time is has matched this line of the ACL.
ASKER
Hi td_miles
yes the access-list is applied to the outside interface.
When I do "show access-list 104", I don't see any increasing in hit counts.
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
yes the access-list is applied to the outside interface.
When I do "show access-list 104", I don't see any increasing in hit counts.
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
from what you have posted above, you are only showing part of the access-list. Can you post the whole access-list please. It is possible that a previous line in the ACL is matching the traffic first and so it is not getting to the deny statements.
ASKER
Here is.
access-list 104; 43 elements
access-list 104 line 1 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 2 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=0)
access-list 104 line 3 permit tcp any host 216.75.X.Y eq 7622 (hitcnt=0)
access-list 104 line 4 permit tcp any host 216.75.X.Y eq 7650 (hitcnt=0)
access-list 104 line 5 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 6 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 7 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 8 permit tcp any host 216.75.X.Y eq ftp (hitcnt=12)
access-list 104 line 9 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=97)
access-list 104 line 10 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 11 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=4)
access-list 104 line 12 permit tcp any host 216.75.X.Y eq 8720 (hitcnt=100)
access-list 104 line 13 permit tcp any host 216.75.X.Y eq 8750 (hitcnt=0)
access-list 104 line 14 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=24)
access-list 104 line 15 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 16 permit tcp any host 216.75.X.Y eq 2070 (hitcnt=111)
access-list 104 line 17 permit tcp any host 216.75.X.Y eq 5001 (hitcnt=109)
access-list 104 line 18 deny tcp any any eq 445 log 6 interval 300 (hitcnt=92)
access-list 104 line 19 deny udp any any eq 445 log 6 interval 300 (hitcnt=0)
access-list 104 line 20 deny tcp any any eq 135 log 6 interval 300 (hitcnt=1139)
access-list 104 line 21 deny udp any any eq 135 log 6 interval 300 (hitcnt=0)
access-list 104 line 22 deny tcp any any eq 137 log 6 interval 300 (hitcnt=0)
access-list 104 line 23 deny udp any any eq netbios-ns log 6 interval 300 (hitcnt=1054)
access-list 104 line 24 deny udp any any eq tftp log 6 interval 300 (hitcnt=0)
access-list 104 line 25 deny udp any any eq netbios-dgm log 6 interval 300 (hitcnt=0)
access-list 104 line 26 deny udp any any eq 139 log 6 interval 300 (hitcnt=0)
access-list 104 line 27 deny tcp any any eq netbios-ssn log 6 interval 300 (hitcnt=81)
access-list 104 line 28 deny tcp any any eq 593 log 6 interval 300 (hitcnt=0)
access-list 104 line 29 deny tcp any any eq 4444 log 6 interval 300 (hitcnt=0)
access-list 104 line 30 deny icmp any any (hitcnt=46236)
access-list 104 line 31 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 32 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 33 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 34 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 35 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 36 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
access-list 104; 43 elements
access-list 104 line 1 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 2 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=0)
access-list 104 line 3 permit tcp any host 216.75.X.Y eq 7622 (hitcnt=0)
access-list 104 line 4 permit tcp any host 216.75.X.Y eq 7650 (hitcnt=0)
access-list 104 line 5 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 6 permit tcp any host 216.75.X.Y eq 7630 (hitcnt=0)
access-list 104 line 7 permit tcp any host 216.75.X.Y eq 1999 (hitcnt=0)
access-list 104 line 8 permit tcp any host 216.75.X.Y eq ftp (hitcnt=12)
access-list 104 line 9 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=97)
access-list 104 line 10 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 11 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=4)
access-list 104 line 12 permit tcp any host 216.75.X.Y eq 8720 (hitcnt=100)
access-list 104 line 13 permit tcp any host 216.75.X.Y eq 8750 (hitcnt=0)
access-list 104 line 14 permit tcp any host 216.75.X.Y eq 2000 (hitcnt=24)
access-list 104 line 15 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 16 permit tcp any host 216.75.X.Y eq 2070 (hitcnt=111)
access-list 104 line 17 permit tcp any host 216.75.X.Y eq 5001 (hitcnt=109)
access-list 104 line 18 deny tcp any any eq 445 log 6 interval 300 (hitcnt=92)
access-list 104 line 19 deny udp any any eq 445 log 6 interval 300 (hitcnt=0)
access-list 104 line 20 deny tcp any any eq 135 log 6 interval 300 (hitcnt=1139)
access-list 104 line 21 deny udp any any eq 135 log 6 interval 300 (hitcnt=0)
access-list 104 line 22 deny tcp any any eq 137 log 6 interval 300 (hitcnt=0)
access-list 104 line 23 deny udp any any eq netbios-ns log 6 interval 300 (hitcnt=1054)
access-list 104 line 24 deny udp any any eq tftp log 6 interval 300 (hitcnt=0)
access-list 104 line 25 deny udp any any eq netbios-dgm log 6 interval 300 (hitcnt=0)
access-list 104 line 26 deny udp any any eq 139 log 6 interval 300 (hitcnt=0)
access-list 104 line 27 deny tcp any any eq netbios-ssn log 6 interval 300 (hitcnt=81)
access-list 104 line 28 deny tcp any any eq 593 log 6 interval 300 (hitcnt=0)
access-list 104 line 29 deny tcp any any eq 4444 log 6 interval 300 (hitcnt=0)
access-list 104 line 30 deny icmp any any (hitcnt=46236)
access-list 104 line 31 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 32 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 33 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 34 permit tcp any host 216.75.X.Y eq 8700 (hitcnt=0)
access-list 104 line 35 permit tcp any host 216.75.X.Y eq 8740 (hitcnt=0)
access-list 104 line 36 permit tcp any host 216.75.X.Y eq 2004 (hitcnt=0)
access-list 104 line 37 deny ip 0.0.0.0 0.255.255.255 any log 6 interval 300 (hitcnt=0)
access-list 104 line 38 deny ip 127.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 39 deny ip 172.16.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 40 deny ip 192.168.0.0 255.255.0.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 41 deny ip 224.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 42 deny ip 192.0.0.0 255.255.255.0 any log 6 interval 300 (hitcnt=0)
access-list 104 line 43 deny ip host 127.0.0.1 any log 6 interval 300 (hitcnt=0)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
td_miles,
No need to apologize. I thank you for taking time to help me out. I did come across smilar docs but was not sure. It always good to get a secon opinion.
Thanks again.
No need to apologize. I thank you for taking time to help me out. I did come across smilar docs but was not sure. It always good to get a secon opinion.
Thanks again.
http://www.thewaystation.com/techref/internet-in.shtml
The main thrust of it is that you should block inbound traffic on your outside interface from those addresses that will NEVER be valid on that interface (ie. loopback address, private addresses, broadcast addresses, etc.)
To be safe you would also apply an access list inbound on your inside interface only allowing traffic from the subnet ranges that are actually on your inside network.
The above link is for Cisco routers, but is easily modified for the PIX. Just remember that the subnet masks are backwards !