«

I activated the following access-list on the WAN interface of my router
(Dialer1, PPPoA-type connection)

The private network behind the router is NATted using a canonical

"ip nat inside source list 100 interface Dialer1 overload", where ACL 100
permits all hosts on the private network.

My problem is, if I execute a PORT SCAN from outside this network (Internet)
towards the static public IP of the router I get a long list of UDP ports
which are in state "closed" (but not _stealth_, which is the result I
desired to obtain).

Port list includes Windows ports, UNIX services ports (which are not present
on that network anyway), possible router services ports (tftp) etc.

Why those ports are not in state "stealth" since I'm dropping most of the
inbound packets?

Checking the list I found and tried to remove the line

"access-list 180 permit udp any host <public_ip_address> gt 1023",

but all I could get was _all_ clients on the private networks suddenly lost
access to Internet, so I had to restore it.

Has anybody any clue on what I should do to better protect my WAN interface
_and_ letting my clients connected via NAT to the Internet?

Thanks in advance for your help,


Mirko


WAN interface ACL
---------------- >8 ---------------------- >8 --------------

access-list 180 remark Anti-spoofing rules
access-list 180 deny ip 0.0.0.0 0.255.255.255 any
access-list 180 deny ip 10.0.0.0 0.255.255.255 any
access-list 180 deny ip 127.0.0.0 0.255.255.255 any
access-list 180 deny ip 172.16.0.0 0.15.255.255 any
access-list 180 deny ip 192.168.0.0 0.0.255.255 any
access-list 180 deny ip 224.0.0.0 31.255.255.255 any
access-list 180 deny ip 192.0.2.0 0.0.0.255 any
access-list 180 deny ip 169.254.0.0 0.0.255.255 any

access-list 180 remark ICMP Management
access-list 180 permit icmp any host <public_ip_address> echo-reply
access-list 180 permit icmp any host <public_ip_address> unreachable
access-list 180 permit icmp any host <public_ip_address> time-exceeded

access-list 180 remark SSH Management
access-list 180 permit tcp any host <public_ip_address> eq 22

access-list 180 remark We accept replies to requests first generated
internally
access-list 180 permit tcp any host <public_ip_address> gt 1023 established
access-list 180 permit udp any host <public_ip_address> gt 1023

access-list 180 remark Active FTP
access-list 180 permit tcp any eq ftp-data host <public_ip_address> gt 1023

access-list 180 remark Blocks all other IP traffic (WAN -> LAN)
access-list 180 deny ip any any

--------------- >8 ---------------------- >8 --------------

Mirko wrote:

> I activated the following access-list on the WAN interface of my
> router (Dialer1, PPPoA-type connection)
>
> The private network behind the router is NATted using a canonical
>
> "ip nat inside source list 100 interface Dialer1 overload", where ACL
> 100 permits all hosts on the private network.
>
> My problem is, if I execute a PORT SCAN from outside this network
> (Internet) towards the static public IP of the router I get a long
> list of UDP ports which are in state "closed" (but not _stealth_,
> which is the result I desired to obtain).

On your WAN interface put,
"no ip unreachables"


B

Following your advice I applied this command and... voilà! all UDP scanning
flaws were obliterated from my router.

Thanks for your quick help Bob! Right now I'm in the process of reading "NSA
router security configuration guide 1.1b" and " Phrack Magazine -Building
Bastion Routers Using Cisco IOS", where this and many other useful commands
to protect a Cisco router are explained. I hope to come out with a more
intelligent question next time!

Mirko

"Bob Goddard" <mailtrap-numpty-1-> ha scritto nel
messaggio news:...

> > My problem is, if I execute a PORT SCAN from outside this network
> > (Internet) towards the static public IP of the router I get a long
> > list of UDP ports which are in state "closed" (but not _stealth_,
> > which is the result I desired to obtain).
>
> On your WAN interface put,
> "no ip unreachables"
>
>
> B

Mirko wrote:
> Following your advice I applied this command and... voilà! all UDP scanning
> flaws were obliterated from my router.

You also wish to investigate -
no ip redirects
no ip proxy-arp
These may also be able to help eliminate potential issues when
interfacing to an untrusted environment.

Cheers...........pk.


--
*** Replace SOMEONE with prk ***