Security Basics mailing list archives
RE: deny access
From: Richard Windmann <windmann () area52 allserve net>
Date: Thu, 2 Dec 2004 10:21:52 -0600 (CST)
I am a former Cisco employee/engineer, and Paris is right. The only time you would want to put the deny any any rule at the end yourself is if you wanted to log the rule. On Thu, 2 Dec 2004, Paris E. Stone wrote:
I have been in the industry for 14 years, and I have never heard this. If you have a CCO document to back that statement up, I would like to see it, because I think you are wrong. I have always heard / read / taught, that all ACLs end with an implicit deny any any. CCO Document URL: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_e xample09186a0080100548.shtml Quote from the Introduction 2nd paragraph: The IP ACL is a sequential collection of permit and deny conditions that applies to an IP packet. The router tests packets against the conditions in the ACL one at a time. The first match determines whether the Cisco IOS(r) software accepts or rejects the packet. Because the Cisco IOS software stops testing conditions after the first match, the order of the conditions is critical. ~the good part~ If no conditions match, the router rejects the packet, due to an implicit deny all clause. ~end the good part~ ~~~~~ Paris E. Stone, "Linux Zealot" CISSP, CCNP, CNE, MCSE, CIW Master Administrator ~~~~~ "Not all who wander are lost." J.R.R.T. ________________________________ From: Stanley Tomkiewicz [mailto:stanley.tomkiewicz () db com] Sent: Thursday, December 02, 2004 7:13 AM To: Paris E. Stone Cc: Agarwal, Ankur; Carlos Garcia; richardw () area52 allserve net; security-basics () securityfocus com; GuidoZ Subject: RE: deny access Remember that the implicit deny is only if the acl is built with all permit statements. Once you start putting in deny statements (at the beginning of the acl) you change that dynamic. Stan Stanley Tomkiewicz Vice President GTO-Network Services-Risk Management Deutsche Bank [/] 2 Gatehall Drive Parsippany, N.J. 07054 Mail Stop PAR01-0307 stanley.tomkiewicz () db com Office 973-656-4727 Cell 732-236-1365 Pager 800-225-0256 pin 1475781 "Paris E. Stone" <pstone () alhurra com> 11/30/2004 07:51 PM To: <richardw () area52 allserve net>, "GuidoZ" <uberguidoz () gmail com> cc: "Carlos Garcia" <carlosg () cabonet net mx>, "Agarwal, Ankur" <ankur.agarwal () colt-telecom com>, <security-basics () securityfocus com> Subject: RE: deny access ~Begin Chastise~ He posted to the SECURITY-BASICS mailing list. That would pretty much "determine the correct level of help" in my mind. ~End Chastise~ ~ ~Begin pathetic attempt at help~ And, technically speaking, "access-list 101 deny ip source ip destination ip" is the correct syntax, but the information he didn't get was: There is an implicit "deny any any" in all Cisco ACLs, which means a 1 line ACL to block one host would effectively block all hosts. & ACL built, but it still needs bound From interface config mode, "ip access-group 101 in interface " is the second part of the equation. & If there are no ACLs now, make it a two liner, the deny line, and: access-list 101 permit ip any any ~End pathetic attempt at help~ My .02 -----Original Message----- From: richardw [mailto:richardw () area52 allserve net] Sent: Monday, November 29, 2004 11:11 PM To: GuidoZ Cc: Carlos Garcia; Agarwal, Ankur; security-basics () securityfocus com Subject: Re: deny access Everyone, I want to take this opportunity to apologize for Guido. Carlos, if you still need help, email me off the list, and we'll help get squared away. Saludos, Richard GuidoZ wrote:This is why I said it was better for him to find the answers on his own, and not just tell him the ACL format. Otherwise it's very likely that something will get messed up and he won't be able to fix it, or ask questions online. ;) Think about things before you act everyone. There is certainly nothing wrong with helping out someone in need, although, you must determine the correct level of help. -- Peace. ~G On Thu, 25 Nov 2004 19:40:40 -0700, Carlos Garcia <carlosg () cabonet net mx> wrote:ok i just write access-list 101 deny ip host 216.212.33.185 any is this ok? i put too access-list 101 deny ip 216.212.33.185 255.255.255.255 any... and can somebody tell me how to improve this, i run some servers and iwantto protec them mail, web,dns,proxy's where can i find a list so that it helps me howtoconfigure the router to support QoS i need it for VoIP service???thanks forall the help Atte. Carlos A. Garcia G. Cabonet Staff Tel (624) 14 30120 ----- Original Message ----- From: "Agarwal, Ankur" <Ankur.Agarwal () colt-telecom com> To: "'Carlos Garcia'" <carlosg () cabonet net mx>; <security-basics () securityfocus com> Sent: Thursday, November 25, 2004 7:17 PM Subject: RE: deny accessHI Simply create an deny access list to block this IP. Access-list 101 deny ip source ip destination ip Thanks & Regards, ___________________________________________________ Ankur Agarwal One Dial : 8-911-7428 Tel : +91 124 5157000 (Ext. 2272) *Cell : +91 9810702016 COLT India ankur.agarwal () colt-telecom com ___________________________________________________-----Original Message----- From: Carlos Garcia [mailto:carlosg () cabonet net mx] Sent: 25 November 2004 04:58 To: security-basics () securityfocus com Subject: deny access newbie question how can i block this ip 216.212.33.185 i have a cisco7200this ip is trying to send mail with my server, i did not configuretherouter so i dont know how to do this any help? Atte. Carlos A. Garcia G. Cabonet Staff Tel (624) 14 30120 *************************************************************************************The message is intended for the named addressee only and may not be disclosed to or used by anyone else, nor may it be copied in any way. The contents of this message and its attachments are confidential andmayalso be subject to legal privilege. If you are not the namedaddresseeand/or have received this message in error, please advise us bye-mailingsecurity () colt net and delete the message and any attachments without retaining any copies. Internet communications are not secure and COLT does not accept responsibility for this message, its contents nor responsibility foranyviruses. No contracts can be created or varied on behalf of COLT Telecommunications, its subsidiaries or affiliates ("COLT") and anyotherparty by email Communications unless expressly agreed in writing withsuchother party. Please note that incoming emails will be automatically scanned to eliminate potential viruses and unsolicited promotional emails. Formoreinformation refer to www.colt.net or contact us on +44(0)20 73903900.-- ------------------------------------------------------------------------ ____/\___ | | "If you can't beat ___/__\__) | richardw | them, then they're (__/ \__ | mailto:richardw!area52.allserve.net | not tied down good / \ | | enough..." ------------------------------------------------------------------------
Current thread:
- Re: deny access richardw (Nov 30)
- Message not available
- Re: deny access SVB (Nov 30)
- Message not available
- <Possible follow-ups>
- RE: deny access Paris E. Stone (Dec 01)
- Re: deny access GuidoZ (Dec 07)
- RE: deny access Tran, Nhon (Dec 02)
- RE: deny access Richard Windmann (Dec 02)
- Re: deny access Carlos Garcia (Dec 06)
- Re: deny access GuidoZ (Dec 13)