Security Basics mailing list archives
Re: deny access
From: GuidoZ <uberguidoz () gmail com>
Date: Tue, 30 Nov 2004 12:31:59 -0800
Forgive the double reply - judging from few emails I've received off list (from both sides of the fence), I've found the best way to explain things. (Again, this could be applied to a number of situations, not just this one. In fact, I'll generalize it to show this point and help others apply it in different scenarios.) If someone were to ask a question similar to this... "I'm the network admin for a small LAN at work. I've been having a problem with 127.0.0.1 and need to block it from the router. I've been trying to setup an ACL at the gateway to protect the network. I can't seem to figure out the proper format. Can anyone help? At this time, it would be good to reply with the exact answer. It's obvious they know what needs to be done, they are just having trouble with the how. They also seem to be familiar enough with their setup to know why to fix it in this fashion. However, for a more general question like... "127.0.0.1 is causing problems. How do I fix it?" In this case, which relates to the current case, there are a few factors. First, it's obvious they aren't sure how to even begin to tackle the problem. Just providing the "type this as an ACL" answer is dangerous. Since they don't even know what they need to do, chances are they won't know how to begin either. They could mess up some other important settings trying to figure out how to properly enter the ACL rule. Second, you know nothing about the background of the network or situation! For all you know 127.0.0.1 could be an ISP that NEEDS access, or the actual SysAdmin trying to do their job. We have no clue. By telling them how to simply block all traffic from this address, you could be creating further problems worse then the original. (I'm not saying this is the case in Carlos's scenario, just pointing out different aspects.) Plus, even if the correct answer IS to setup the ACL, unless you describe all the steps (logging in, writing to the rules, proper formatting, rebooting/applying, etc), once again the unfamiliar user could cause more damage. Worse yet, they could do it incorrectly and think the problem is solved when it really isn't. That was my entire point in this scenario. Judging from the comments of the user (which is all we have to go on), it seemed like they hadn't even found a starting point. In the case with Carlos (which I also sent to him directly off-list), the correct answer in my eyes would be "You'll probably need to create an ACL if you are sure that IP# needs to be blocked. First determine where that IP# is coming from to make sure it's ok to be blocked, then research on the proper format and ways to create a rule in the ACL to block it." This way, he knows WHERE to start and WHAT to do. Now he just needs to lookup the HOW to do it, ensuring there should be less problems when he's sitting at the console typing away. By forcing him to LEARN how to do a certain thing, he will not only be prepared the next time around (instead of going blindly on comments form the list), but it should also lessen the chances of creating further problems. =) Obviously I also said if he needs further help, please let me know. I'm only going by my own experience. I've been providing technical support on a variety of computer related topics for over a decade; I have learned the points I made above the hard way. I've "helped" users in a similar fashion as most people here helped Carlos, only to find them in a worse situation then before since they didn't know what they were doing to start with. Again, I never tried to be rude, nor do I want to be! Helping out is what makes me tick. (I've been praised on my ability to describe a complex solution in a language new users can understand.) I sincerely hope this helps to not only explain this current situation, but keeps someone from making the same mistakes I have in the past. Thanks for the previous off-list comments/suggestions/complaints. It helped me to format this in a much better way. ;). Feel free to keep them coming. -- Peace. ~G On Tue, 30 Nov 2004 11:35:17 -0800, GuidoZ <uberguidoz () gmail com> wrote:
Everyone, I want to take this opportunity to apologize for Guido. Carlos, if you still need help, email me off the list, and we'll help get squared away.I can certainly apologize for myself, when needed. ;) I wasn't trying to be rude and not help, if that's what you're thinking. If that's the case, then I do apologize. I was merely pointing out the fact that sometimes it's better to TEACH a person then to TELL a person. Allow me to explain... I think it somewhat obvious Carlos has next to no expereince with this device. This is nothing to be made fun of, as everyone starts somewhere and I'm sure there are plenty of things he is quite familiar with that I know nothing about. It's a fact of life. Instead of just flat out answering his question and saying "type this here", I believed he would benefit more from reading the manual for it, learning how to use Google effectively to solve problems, and find out more information in general. Think about it this way: What if he has another problem that needs to be addressed immediately, but he has no access because his router is down? Wouldn't of having a manual (that he downloaded when I mentioned it) be helpful? Wouldn't it be nice to be able to find the answer on your own because you learned how to properly search on Google with focuses terms? This isn't a flame by any means. I've always prided myself on helping others... it's what makes me tick. Sometimes a little "tough love" is what's needed. Judging from the other posts on this list, I figured everyone else would also see what I did. I apologize for not explaining it fully. To sum it up: "Give a man a fish, he eats for a day. Teach a man to fish he eats for a lifetime." I also offered my help off-list to Carlos. That offer still stands. I just felt that it was better to have him try on his own first, then ask a question when he gets stumped. (Instead of being completely lost and just typing what he's been told. That's no way to learn and it could very easily cause problems down the road... like when a BIG problem happens and he hasn't a clue where to even turn.) This applies to anyone, not just this scenario. Everyone should realize that. It doesn't matter if your a book learner or a hands on learner... either way the key is learning. Fundamental fact. =) If I offended anyone, I certainyl apologize. I only hope the reasons for my words are better understand, as there will be other occations where one should take a step back and thing about just this topic before flat out answering a question. -- Peace. ~G On Mon, 29 Nov 2004 22:10:41 -0600, richardw <richardw () area52 allserve net> wrote:Everyone, I want to take this opportunity to apologize for Guido. Carlos, if you still need help, email me off the list, and we'll help get squared away. Saludos, Richard GuidoZ wrote:This is why I said it was better for him to find the answers on his own, and not just tell him the ACL format. Otherwise it's very likely that something will get messed up and he won't be able to fix it, or ask questions online. ;) Think about things before you act everyone. There is certainly nothing wrong with helping out someone in need, although, you must determine the correct level of help. -- Peace. ~G On Thu, 25 Nov 2004 19:40:40 -0700, Carlos Garcia <carlosg () cabonet net mx> wrote:ok i just write access-list 101 deny ip host 216.212.33.185 any is this ok? i put too access-list 101 deny ip 216.212.33.185 255.255.255.255 any... and can somebody tell me how to improve this, i run some servers and i want to protec them mail, web,dns,proxy's where can i find a list so that it helps me how to configure the router to support QoS i need it for VoIP service??? thanks for all the help Atte. Carlos A. Garcia G. Cabonet Staff Tel (624) 14 30120 ----- Original Message ----- From: "Agarwal, Ankur" <Ankur.Agarwal () colt-telecom com> To: "'Carlos Garcia'" <carlosg () cabonet net mx>; <security-basics () securityfocus com> Sent: Thursday, November 25, 2004 7:17 PM Subject: RE: deny accessHI Simply create an deny access list to block this IP. Access-list 101 deny ip source ip destination ip Thanks & Regards, ___________________________________________________ Ankur Agarwal One Dial : 8-911-7428 Tel : +91 124 5157000 (Ext. 2272) *Cell : +91 9810702016 COLT India ankur.agarwal () colt-telecom com ___________________________________________________-----Original Message----- From: Carlos Garcia [mailto:carlosg () cabonet net mx] Sent: 25 November 2004 04:58 To: security-basics () securityfocus com Subject: deny access newbie question how can i block this ip 216.212.33.185 i have a cisco 7200 this ip is trying to send mail with my server, i did not configure the router so i dont know how to do this any help? Atte. Carlos A. Garcia G. Cabonet Staff Tel (624) 14 30120 ************************************************************************************* The message is intended for the named addressee only and may not be disclosed to or used by anyone else, nor may it be copied in any way. The contents of this message and its attachments are confidential and may also be subject to legal privilege. If you are not the named addressee and/or have received this message in error, please advise us by e-mailing security () colt net and delete the message and any attachments without retaining any copies. Internet communications are not secure and COLT does not accept responsibility for this message, its contents nor responsibility for any viruses. No contracts can be created or varied on behalf of COLT Telecommunications, its subsidiaries or affiliates ("COLT") and any other party by email Communications unless expressly agreed in writing with such other party. Please note that incoming emails will be automatically scanned to eliminate potential viruses and unsolicited promotional emails. For more information refer to www.colt.net or contact us on +44(0)20 7390 3900.-- ------------------------------------------------------------------------ ____/\___ | | "If you can't beat ___/__\__) | richardw | them, then they're (__/ \__ | mailto:richardw!area52.allserve.net | not tied down good / \ | | enough..." ------------------------------------------------------------------------
Current thread:
- deny access Carlos Garcia (Nov 26)
- Re: deny access Sean Earp (Nov 27)
- Re: deny access John R. Morris (Nov 27)
- Re: deny access GuidoZ (Nov 27)
- RE: deny access dave kleiman (Nov 27)
- RE: deny access David Gillett (Nov 29)
- <Possible follow-ups>
- Re: deny access Carlos Garcia (Nov 27)
- Re: deny access GuidoZ (Nov 29)
- Message not available
- Re: deny access GuidoZ (Nov 30)
- Re: deny access GuidoZ (Nov 30)
- Re: deny access GuidoZ (Nov 29)
- RE: deny access David Gillett (Nov 30)
- RE: deny access James McGee (Nov 30)
- RE: deny access James McGee (Nov 30)