ACLs für das Eingangs-Interface zum Internet. Sie sind als Beispiel zu verstehen, mit den wohl wichtigsten Einträgen.
IPv4
#==============================================================================
# Ingress rule set for ISP interconnection
#==============================================================================
ip access-list extended ACL-ISP-INGRESS
#——————————————————————————
# Section 1000
# Name : eBGP session
# Description : Allow TCP packets for eBGP session to ISP router
# Info : Technical required in BGP setups
#——————————————————————————
remark eBGP session
1010 permit tcp <transit-prefix> <transit-prefix> eq bgp
1020 permit tcp <transit-prefix> eq bgp <transit-prefix> gt 1023
#—————————————————————————–
# Section 2000
# Name : Block Bogon sources
# Descpiption : Block IP packets with unused, reserved or unexpected
# source addresses
# Info : Security recommended
#——————————————————————————
remark Block bogon sources
# Customters network
2010 deny ip <customers_public_address_range> any
# „This“ network
2020 deny ip 0.0.0.0 0.255.255.255 any
# RFC 1918
2030 deny ip 10.0.0.0 0.255.255.255 any
2040 deny ip 172.16.0.0 0.15.255.255 any
2050 deny ip 192.168.0.0 0.0.255.255 any
# Loopback
2060 deny ip 127.0.0.0 0.255.255.255 any
# Link local; Auto-IP
2070 deny ip 169.254.0.0 0.0.255.255 any
# IETF Protocol Assignments
2080 deny ip 192.0.0.0 0.0.0.255 any
# TEST-NET-1, TEST-NET-2, TEST-NET-3
2090 deny ip 192.0.2.0 0.0.0.255 any
2100 deny ip 198.51.100.0 0.0.0.255 any
2110 deny ip 203.0.113.0 0.0.0.255 any
# Network Interconnect Device Benchmark Testing
2120 deny ip 198.18.0.0 0.1.255.255 any
# Multicast
2130 deny ip 224.0.0.0 15.255.255.255 any
# Reserved for future use
2140 deny ip 240.0.0.0 15.255.255.255 any
# Broadcast
2150 deny ip 255.255.255.255 0.0.0.0 any
#——————————————————————————
# Section 3000
# Name : ICMP Troubleshooting
# Descpiption : Allow ICMP packet in troubleshooting commands
# o Echo replies
# o TTL exceeded
# o Fragmentation needed but DF bit set
# o Unreachables
# Info : Operational recommended
#——————————————————————————
remark ICMP Troubleshooting
3010 permit icmp any <transit-prefix> echo-reply
3020 permit icmp any <transit-prefix> time-exceeded
3030 permit icmp any <transit-prefix> packet-too-big
3040 permit icmp any <transit-prefix> unreachable
3050 permit icmp any <perimeter_address_range> echo-reply
3060 permit icmp any <perimeter_address_range> time-exceeded
3070 permit icmp any <perimeter_address_range> packet-too-big
3080 permit icmp any <perimeter_address_range> unreachable
#——————————————————————————
# Section 4000
# Name : Perimeter Service IPs
# Description : Allow any IP packet to explicitly exposed hosts in
# perimeter networks.
# Info : Optional in some scenarios
#——————————————————————————
remark Perimeter Service IPs
remark exposed host 1
4011 permit ip any host <exposed_host1_address>
remark exposed host 2
4021 permit ip any host <exposed_host1_address>
#——————————————————————————
# Section 5000
# Name : Perimeter device protection
# Description : Prevent attacks on devices in perimeter networks from any
# internet source by blocking all ip packets with
# corresponding destination addresses.
# Info : Security required
#——————————————————————————
remark Block all perimeter networks
5010 deny ip any <transit-prefix> log
5020 deny ip any <perimeter_address_range> log
#——————————————————————————
# Section 99000
# Name : Internal Networks
# Description : Allow any IP packet to destinations behind perimeter
# firewall. Perimeter firewall takes care of protection.
# Info : Technical required
#——————————————————————————
remark Allow any other connection
99000 permit ip any any
IPv6
#==============================================================================
# Ingress rule set for ISP interconnection
#==============================================================================
# Notice: Blocking Martians or Bogon makes no sense
# under IPv6. Any IPv6 /64 network contains more possible
# source addresses than all IPv4 martian or bogon ranges together.
# So, those kind of DoS attacks against firewall state tables
# don’t need Martian or Bogon sources under IPv6.
ipv6 access-list ACL-ISP-INGRESS
#——————————————————————————
# Section 1000
# Name : ICMPv6 Neighbor Deiscover
# Description : Allow ICMPv6 packets to resolve neighbors (MAC addresses)
# Info : Technical required
#——————————————————————————
sequence 1000 remark ICMPv6 Neighbor Discovery
sequence 1005 remark Receiving Neighbor Solicitations
permit icmp host :: FF02::/16 nd-ns sequence 1010
permit icmp <transit-prefix> <transit-prefix> nd-ns sequence 1020
permit icmp <transit-prefix> FF02::/16 nd-ns sequence 1030
permit icmp FE80::/64 FE80::/64 nd-ns sequence 1040
permit icmp FE80::/64 FF02::/16 nd-ns sequence 1050
sequence 1100 remark Reveiving Neighbor Advertisements
permit icmp <transit-prefix> <transit-prefix> nd-na sequence 1110
permit icmp <transit-prefix> FE80::/64 nd-na sequence 1120
permit icmp <transit-prefix> FF02::/16 nd-na sequence 1130
permit icmp FE80::/64 FE80::/64 nd-na sequence 1140
permit icmp FE80::/64 FF02::/16 nd-na sequence 1150
sequence 1200 remark Multicast Listener Reports
permit icmp host :: FF02::/16 mld-v2-report sequence 1210
permit icmp FE80::/64 FF02::/16 mld-v2-report sequence 1220
#——————————————————————————
# Section 2000
# Name : eBGP session
# Description : Allow TCP packets for eBGP session to ISP router
# Info : Technical required in BGP setups
#——————————————————————————
sequence 2000 remark eBGP session
permit tcp <transit-prefix> <transit-prefix> eq bgp sequence 2010
permit tcp <transit-prefix> eq bgp <transit-prefix> gt 1023 sequence 2020
#——————————————————————————
# Section 3000
# Name : ICMPv6 Troubleshooting
# Descpiption : Allow ICMPv6 packet in troubleshooting commands
# o Echo replies
# o TTL exceeded
# o Packet too big
# o Unreachables
# Info : Operational recommended
#——————————————————————————
sequence 3000 remark ICMPv6 Troubleshooting
permit icmp any <transit-prefix> echo-reply sequence 3010
permit icmp any <transit-prefix> time-exceeded sequence 3020
permit icmp any <transit-prefix> packet-too-big sequence 3030
permit icmp any <transit-prefix> unreachable sequence 3040
permit icmp any <perimeter_address_range> echo-reply sequence 3050
permit icmp any <perimeter_address_range> time-exceeded sequence 3060
permit icmp any <perimeter_address_range> packet-too-big sequence 3070
permit icmp any <perimeter_address_range> unreachable sequence 3080
#——————————————————————————
# Section 4000
# Name : Link-local router protection
# Description : Prevent router attacks via link-local communication
# from ISP router by blocking all other possible link-local
# communication.
# Info : Security recommended
#——————————————————————————
sequence 4000 remark Block remaining Link-Local Communication
deny ipv6 any FE80::/64 log sequence 4010
deny ipv6 any FF02::/16 log sequence 4020
#——————————————————————————
# Section 5000
# Name : Perimeter Service IPs
# Description : Allow any IPv6 packet to explicitly exposed hosts in
# perimeter networks.
# Info : Optional in some scenarios
#——————————————————————————
sequence 5000 remark Perimeter Service IPs
sequence 5010 remark exposed host 1
permit ipv6 any host <exposed_host1_address> sequence 5011
sequence 5020 remark exposed host 2
permit ipv6 any host <exposed_host1_address> sequence 5021
#——————————————————————————
# Section 6000
# Name : Perimeter device protection
# Description : Prevent attacks on devices in perimeter networks from any
# internet source by blocking all ipv6 packets with
# corresponding destination addresses.
# Info : Security required
#——————————————————————————
sequence 6000 remark Block all perimeter networks
deny ipv6 any <transit-prefix> log sequence 6010
deny ipv6 any <perimeter_address_range> log sequence 6020
#——————————————————————————
# Section 99000
# Name : Internal Networks
# Description : Allow any IPv6 packet to destinations behind perimeter
# firewall. Perimeter firewall takes care of protection.
# Info : Technical required
#——————————————————————————
sequence 99000 remark Allow any other connection
permit ipv6 any any