ACL for Internet Facing Router

A base Access List for any internet facing router, re-produced from Mike Storm and Jeremy Cioara’s blogs:

“My friend Mike Storm has come up with a good “base” ACL for use on Internet facing routers and firewall devices. While he has it listed on his blog, I am referencing it here for my own future reference.”

Assuming my PubNet range is a block of 32 66.238.29.0 – 31. See below

! no fragments
access-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments
! no snmp inbound from the Internet
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 14.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 198.18.0.0 0.0.255.255 any log
access-list 100 deny ip 66.238.29.0 0.0.0.31 any log
! no routing protocols inbound (unless needed)
access-list 100 deny tcp any any eq bgp log
access-list 100 deny tcp any eq bgp any log
access-list 100 deny ipinip any any
access-list 100 deny gre any any
access-list 100 deny pim any any
access-list 100 deny 90 any any
access-list 100 deny ospf any any log
access-list 100 deny eigrp any any log
access-list 100 deny udp any eq rip any log
access-list 100 deny udp any any eq rip log
access-list 100 permit now begins your permits…if any

Notes:
192.0.2.0 0.0.0.255 any log (range known to be used exploit default pw on WLA devices)
4.0.0.0 0.255.255.255 any log (Known as Net-14, a Public use network, possibly used by attackers)
69.254.0.0 0.0.255.255 any log (RFC2026 Link Local)
198.18.0.0 0.0.255.255 any log (block for benchmark tests of network interconnect devices, RFC2544)

Was this article helpful?

Yes No

Related Articles

Leave A Comment?

You must be logged in to post a comment.