Access lists related to Internet services

This documents describes a network connection from a company network to the Internet (as seen from a CISCO routers point of view). This document is by no means complete. Do not just copy information and paste it to your security policy.

Access lists related to services

From Internet to external networks

General Setup Rules Notes
No ip spoofed ip traffic  Connections to external interfaces pretending to be from internal networks
no source routed frames To prevent from getting faked routing information
no fragmented ip traffic To prevent spoofs of TCP / UDP based filter rules
no icmp bombing of external  sites To prevent slowdowns on external networks and denial of service attacks
no tcp syn flooding of external  sites To prevent slowdowns on external networks and denial of service attacks

DNS related filter rules

ext-ns is the external nameserver for all domains.

Rule Direction Source   
Address
Destination   
Address
Protocol Source   
Port
Destination   
Port
ACK   
Bit set
Notes
DNS1 In Ext ext-ns UDP >1023 53 - Incoming query via UDP, 
client to external Nameserver
DNS2 Out ext-ns Ext UDP 53 >1023 - Answer to incoming UDP query, 
external nameserver to client
DNS3 In Ext ext-ns TCP >1023 53 not set on first packet 
(establish) but on rest
Incoming query via TCP, 
client to external nameserver
DNS4 Out ext-ns Ext TCP 53 >1023 Yes Answer to incoming TCP query, 
server to client
DNS5 Out ext-ns Ext UDP >1023 53 - Outgoing query via UDP, 
client to server
DNS6 In Ext ext-ns UDP 53 >1023 - Answer to outgoing UDP query, 
server to client
DNS7 Out ext-ns Ext TCP >1023 53 not set on first packet 
(establish) but on rest
Outgoing query via TCP, 
client to server
DNS8 In Ext ext-ns TCP 53 >1023 Yes Answer to ongoing TCP query, 
server to client
DNS9 In Ext ext-ns UDP 53 53 - Query or response between ext-ns 
and external  servers via UDP
DNS10 Out ext-ns Ext UDP 53 53 - Query or response between ext-ns 
and external  servers via UDP
DNS11 In Ext ext-ns TCP >1023 53 not set on first packet, 
(establish)but on rest
Query from external server to 
ext-ns via TCP or zone transfer 
request (Idea: use xfernets option 
in bind to ensure that zone transfers 
are only possible from ligitimate 
partners
DNS12 Out ext-ns Ext TCP 53 >1023 Yes Answer from ext-ns to external 
server via TCP or zone transfer 
response to external secondary 
via TCP
DNS13 Out ext-ns Ext TCP >1023 53 not set on first packet, 
(establish)but on rest
Query from ext-ns to external 
server via TCP
DNS14 In Ext ext-ns TCP 53 >1023 Yes Answer from external server to 
ext-ns via TCP

 

SMTP related filter rules

ext-ns is the external mail exchanger for all domains hosted in location. Allow SMTP traffic from external networks to ext-ns and vice versa. Do NOT allow POP!

Rule Direction Source   
Address
Destination   
Address
Protocol Source   
Port
Destination   
Port
ACK   
Bit set
Notes
SMTP1 In Ext ext-ns TCP >1023 25 not set on first packet, 
(establish)but on rest
Incoming mail, 
sender to recipient
SMTP2 Out ext-ns Ext TCP 25 >1023 Yes Incoming mail, 
recipient to sender
SMTP3 Out ext-ns Ext TCP >1023 25 not set on first packet 
(establish) but on rest
Outgoing mail, 
sender to recipient
SMTP4 In Ext ext-ns TCP 25 >1023 Yes Outgoing mail, 
recipient to sender

 

FTP related filter rules

ftp.domain.de is the external ftp server for all domains hosted in location. Allow FTP traffic from external networks to ftp.domain.de and vice versa. Allow ftp connects to webfarms (in new customer network)
 
 

Rule Direction Source   
Address
Destination   
Address
Protocol Source   
Port
Destination   
Port
ACK   
Bit set
Notes
FTP1 In Ext ftp.domain.de, 
webfarms, 
firewall
TCP >1023 21 not set on first packet, 
(establish)but on rest
Incoming ftp 
request
FTP2 Out ftp.domain.de, 
webfarms, 
firewall
Ext TCP 21 >1023 Yes Response to 
incoming request
FTP3 Out Ext ftp.domain.de, 
webfarms, 
firewall
TCP 20 >1023 not set on first packet 
(establish) but on rest
Data channel creation 
for incoming FTP request, 
normal mode (NOT PASV)
FTP4 In Ext ftp.domain.de, 
webfarms, 
firewall
TCP >1023 20 Yes Data channel responses for 
incoming FTP request, 
normal mode
FTP5 In Ext ftp.domain.de, 
webfarms, 
firewall
TCP >1023 >1023 not set on first packet 
(establish) but on rest
Data channel creation for 
incoming FTP request, 
passive mode (PASV)
FTP6 Out ftp.domain.de, 
webfarms, 
firewall
Ext TCP >1023 >1023 Yes Data channel responses for 
incoming FTP request, 
passive mode
FTP7 Out ftp.domain.de, 
webfarms, 
firewall
Ext TCP >1023 21 not set on first packet 
(establish) but on rest
Outgoing FTP request
FTP8 In Ext ftp.domain.de, 
webfarms, 
firewall
TCP 21 >1023 Yes Response to outgoing 
request
FTP9 In Ext ftp.domain.de, 
webfarms, 
firewall
TCP 20 >1023 not set on first packet 
(establish) but on rest
Data channel creation for 
outgoing FTP request, 
normal mode
FTP10 Out ftp.domain.de, 
webfarms, 
firewall
Ext TCP >1023 20 Yes Data channel responses 
for outgoing FTP request, 
normal mode
FTP11 Out ftp.domain.de, 
webfarms, 
firewall
Ext TCP >1023 >1023 not set on first packet 
(establish) but on rest
Data channel creation for 
outgoing FTP request, 
passive mode
FTP12 In Ext ftp.domain.de, 
webfarms, 
firewall
TCP >1023 >1023 Yes Data channel responses for 
outgoing FTP request, 
passive mode

 

HTTP related filter rules

Allow http traffic  for incoming/outgoing connects.
 

Rule Direction Source   
Address
Destination   
Address
Protocol Source   
Port
Destination   
Port
ACK   
Bit set
Notes
HTTP1 In Ext webfarms TCP >1023 80 (or other Ports
that run httpd 
daemons)
not set on first packet, 
(establish)but on rest
Incoming session client
to server in webfarm
HTTP2 Out webfarms Ext TCP 80 >1023 Yes Reply packets to 
external webclients
from webfarm
HTTP3 Out proxy-farm Ext TCP >1023 Any (Problem with
nonstandard Web Sites)
not set on first packet, 
(establish)but on rest
Outgoing HTTP from
proxyfarm to Ext
HTTP4 In Ext proxy-farm TCP Any >1023 Yes Reply packets to
outgoing proxy 
connects

 

NNTP related filter rules

Allow nntp traffic from external news server (provider) to external newsserver (own network). 
 

Rule Direction Source   
Address
Destination   
Address
Protocol Source   
Port
Destination   
Port
ACK   
Bit set
Notes
NNTP1 In external 
newsfeed
external 
newsfeed in DMZ
TCP >1023 119 not set on first packet, 
(establish)but on rest
Incoming news to external
SBS news site
NNTP2 Out external 
newsfeed in DMZ
external
newsfeed
TCP 119 >1023 Yes Reply packets to 
incoming news
NNTP3 Out external 
newsfeed in DMZ
external
newsfeed
TCP >1023 119 not set on first packet, 
(establish)but on rest
Outgoing news to
external newsfeed
NNTP4 In external
newsfeed
external 
newsfeed in DMZ
TCP 119 >1023 Yes Outgoing news
responses to external
newsfeed

 

Telnet related filter rules

Allow telnet only for outgoing traffic.
 

Rule Direction Source   
Address
Destination   
Address
Protocol Source   
Port
Destination   
Port
ACK   
Bit set
Notes
TELNET1 Out firewall Ext TCP >1023 23 not set on first packet, 
(establish)but on rest
Outgoing telnet from
firewall to external sites
TELNET2 In Ext firewall TCP 23 >1023 Yes Reply packets to 
outgoing telnet

 

SSH related filter rules

Allow ssh traffic  for incoming/outgoing connects.
 

Rule Direction Source   
Address
Destination   
Address
Protocol Source   
Port
Destination   
Port
ACK   
Bit set
Notes
SSH1 Out firewall Ext TCP >1023 22 not set on first packet, 
(establish)but on rest
Outgoing ssh from
firewall to external sites
SSH2 In Ext firewall TCP 22 >1023 Yes Reply packets to 
outgoing ssh
SSH3 In Ext sshd enabled hosts
(all hosts in the DMZ)
TCP >1023 22 not set on first packet, 
(establish)but on rest
Incoming ssh from
external sites to DMZ
SSH4 Out sshd enabled hosts
(all hosts in the DMZ)
Ext TCP 22 >1023 Yes Reply packets to
incoming ssh

 
 
 

From external networks to Internet


prepared by Hermann Heimhardt


Last modified: Mon Oct 27 15:42:36 MET 1997 

Back to the main page