MAx TNT Filter -- Actual FILTER

• Previous message (by thread): [Re: Lazy Engineers and Viable Excuses]
• Next message (by thread): Odd Default Gateway Address
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TNT Users:

Apologize: I know I am  posting to multiple lists, but multiple lists 
with Ascend users.. none so far have posted and numerous are asking for 
it...  Including myself! Hopefully recommendations will follow

After several hours of trial and error - after  I setup the recommended 
Cisco filters upstream from TNT equipment.

I have been constantly watching log entries, to find people blasting 
away with ICMP/UDP Port 135/ TCP Port 137 the most.

I have come up a filter, for the TNT:

new FILTER
set filter-name = pre-nachi2
set input-filters 1 valid-entry = yes
set input-filters 1 Type = ip-filter
set input-filters 1 ip-filter protocol = 6
set input-filters 1 ip-filter Dst-Port-Cmp = eql
set input-filters 1 ip-filter dest-port = 135
set input-filters 2 valid-entry = yes
set input-filters 2 Type = ip-filter
set input-filters 2 ip-filter protocol = 17
set input-filters 2 ip-filter Dst-Port-Cmp = eql
set input-filters 2 ip-filter dest-port = 137
set input-filters 3 valid-entry = yes
set input-filters 3 forward = yes
set input-filters 3 Type = ip-filter
set input-filters 3 ip-filter protocol = 1
set input-filters 3 ip-filter dest-address-mask = 255.255.255.255
set input-filters 3 ip-filter dest-address = X.X.X.X
set input-filters 4 valid-entry = yes
set input-filters 4 Type = ip-filter
set input-filters 4 ip-filter protocol = 1
set input-filters 5 valid-entry = yes
set input-filters 5 forward = yes
set input-filters 5 Type = ip-filter
write -f
;

This filter blocks UDP Port 135, tcp port 137, allows ICMP to X.X.X.X, 
drops all other ICMP, and then allows any other traffic out.

Basically, X.X.X.X is a machine here we can use to have customers ping 
us/ we ping them. This filter seems to work for 90% of people, but for 
unknown reasons, ICMP still seems to leak in. Any ideas?

I'm applying this filter to data under answer-defaults, session-info.

I've set iproute-cache-enable = no,

Disabled proxy arp... Everything. Still we are dropping packets at peak 
times left right and center for unknown reasons. show ip cache flow on 
upstream Cisco gear shows basically regular traffic.

Ideas/comments etc?


Sean

>
>
> ----- Original Message -----
> From: "Dave Birkbeck" <dbirkbeck at ikano.com>
> To: "'Tony Bunce'" <tonyb at go-concepts.com>; "'Sean Watkins 
> (northrock)'"
> <sean at northrock.bm>; <radiator at open.com.au>
> Sent: Monday, August 25, 2003 7:27 PM
> Subject: RE: (RADIATOR) MAx TNT & MSBlast
>
>
>> All,
>>
>> In addition to having the ACL's that Cisco recommends. Has anyone come
>> up with a Radius ascend-data-filter that will slow down the spread of
>> these crazy viruses? Or better yet, a filter that will block ICMP.
>>
>> Again, I know this is probably not the list for this discussion, but
>> this topic is definitely for the greater good of the Internet.
>>
>> That being said does anyone know of a list that discusses various NAS
>> topics?

• Previous message (by thread): [Re: Lazy Engineers and Viable Excuses]
• Next message (by thread): Odd Default Gateway Address
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]