MAx TNT Filter -- Actual FILTER
Sean Watkins
sean at northrock.bm
Tue Aug 26 03:22:32 UTC 2003
TNT Users:
Apologize: I know I am posting to multiple lists, but multiple lists
with Ascend users.. none so far have posted and numerous are asking for
it... Including myself! Hopefully recommendations will follow
After several hours of trial and error - after I setup the recommended
Cisco filters upstream from TNT equipment.
I have been constantly watching log entries, to find people blasting
away with ICMP/UDP Port 135/ TCP Port 137 the most.
I have come up a filter, for the TNT:
new FILTER
set filter-name = pre-nachi2
set input-filters 1 valid-entry = yes
set input-filters 1 Type = ip-filter
set input-filters 1 ip-filter protocol = 6
set input-filters 1 ip-filter Dst-Port-Cmp = eql
set input-filters 1 ip-filter dest-port = 135
set input-filters 2 valid-entry = yes
set input-filters 2 Type = ip-filter
set input-filters 2 ip-filter protocol = 17
set input-filters 2 ip-filter Dst-Port-Cmp = eql
set input-filters 2 ip-filter dest-port = 137
set input-filters 3 valid-entry = yes
set input-filters 3 forward = yes
set input-filters 3 Type = ip-filter
set input-filters 3 ip-filter protocol = 1
set input-filters 3 ip-filter dest-address-mask = 255.255.255.255
set input-filters 3 ip-filter dest-address = X.X.X.X
set input-filters 4 valid-entry = yes
set input-filters 4 Type = ip-filter
set input-filters 4 ip-filter protocol = 1
set input-filters 5 valid-entry = yes
set input-filters 5 forward = yes
set input-filters 5 Type = ip-filter
write -f
;
This filter blocks UDP Port 135, tcp port 137, allows ICMP to X.X.X.X,
drops all other ICMP, and then allows any other traffic out.
Basically, X.X.X.X is a machine here we can use to have customers ping
us/ we ping them. This filter seems to work for 90% of people, but for
unknown reasons, ICMP still seems to leak in. Any ideas?
I'm applying this filter to data under answer-defaults, session-info.
I've set iproute-cache-enable = no,
Disabled proxy arp... Everything. Still we are dropping packets at peak
times left right and center for unknown reasons. show ip cache flow on
upstream Cisco gear shows basically regular traffic.
Ideas/comments etc?
Sean
>
>
> ----- Original Message -----
> From: "Dave Birkbeck" <dbirkbeck at ikano.com>
> To: "'Tony Bunce'" <tonyb at go-concepts.com>; "'Sean Watkins
> (northrock)'"
> <sean at northrock.bm>; <radiator at open.com.au>
> Sent: Monday, August 25, 2003 7:27 PM
> Subject: RE: (RADIATOR) MAx TNT & MSBlast
>
>
>> All,
>>
>> In addition to having the ACL's that Cisco recommends. Has anyone come
>> up with a Radius ascend-data-filter that will slow down the spread of
>> these crazy viruses? Or better yet, a filter that will block ICMP.
>>
>> Again, I know this is probably not the list for this discussion, but
>> this topic is definitely for the greater good of the Internet.
>>
>> That being said does anyone know of a list that discusses various NAS
>> topics?
More information about the NANOG
mailing list