Protecting inbound interfaces (re: Cisco exploit)
Basil Kruglov
basil at cifnet.com
Fri Jul 18 13:22:28 UTC 2003
On Fri, Jul 18, 2003 at 06:07:08AM -0700, Rick Ernst wrote:
>
>
> Is there a way to globally protect all inbound interfaces on a router via ACL
> (specifically hundreds of frame/sub-interfaces) without applying the same ACL
> to each individual interface?
I believe something like this will work:
no access-l 198
access-list 198 deny 53 any any log-input
access-list 198 deny 55 any any log-input
access-list 198 deny 77 any any log-input
!
access-list 198 permit pim host xx.xx.xx.xx 224.0.0.0 31.255.255.255
!
access-list 198 deny pim any any log-input
access-list 198 permit ip any any
!
!end
replace xx.xx.xx.xx with real ip address if you have PIM running, if you
don't, remove that line.
> Is the "line vty" config only for telnet/ssh, etc. or is it the magic global
> that I'm looking for?
No. I don't think so.
-Basil @ CIFNet
More information about the NANOG
mailing list