A base Access List for any internet facing router, re-produced from Mike Storm and Jeremy Cioara’s blogs:<\/p>\n
<\/p>\n
“My friend Mike Storm<\/a> has come up with a good “base” ACL for use on Internet facing routers and firewall devices. While he has it listed on his blog<\/a>, I am referencing it here for my own future reference.”<\/p>\n Assuming my PubNet range is a block of 32 66.238.29.0 – 31. See below<\/p>\n ! no fragments<\/strong> Notes:<\/strong> A base Access List for any internet facing router, re-produced from Mike Storm and Jeremy Cioara’s blogs:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[27,13],"tags":[32,24],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/653"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=653"}],"version-history":[{"count":2,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/653\/revisions"}],"predecessor-version":[{"id":660,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/653\/revisions\/660"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=653"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\naccess-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments
\naccess-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments
\naccess-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments
\n! no snmp inbound from the Internet<\/strong>
\naccess-list 100 deny udp any any eq snmp
\naccess-list 100 deny udp any any eq snmptrap
\n! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering <\/strong>
\naccess-list 100 deny ip 127.0.0.0 0.255.255.255 any log
\naccess-list 100 deny ip 255.0.0.0 0.255.255.255 any log
\naccess-list 100 deny ip 224.0.0.0 31.255.255.255 any log
\naccess-list 100 deny ip host 0.0.0.0 any log
\naccess-list 100 deny ip 10.0.0.0 0.255.255.255 any log
\naccess-list 100 deny ip 172.16.0.0 0.15.255.255 any log
\naccess-list 100 deny ip 192.0.2.0 0.0.0.255 any log
\naccess-list 100 deny ip 192.168.0.0 0.0.255.255 any log
\naccess-list 100 deny ip 14.0.0.0 0.255.255.255 any log
\naccess-list 100 deny ip 169.254.0.0 0.0.255.255 any log
\naccess-list 100 deny ip 198.18.0.0 0.0.255.255 any log
\naccess-list 100 deny ip 66.238.29.0 0.0.0.31 any log
\n! no routing protocols inbound (unless needed) <\/strong>
\naccess-list 100 deny tcp any any eq bgp log
\naccess-list 100 deny tcp any eq bgp any log
\naccess-list 100 deny ipinip any any
\naccess-list 100 deny gre any any
\naccess-list 100 deny pim any any
\naccess-list 100 deny 90 any any
\naccess-list 100 deny ospf any any log
\naccess-list 100 deny eigrp any any log
\naccess-list 100 deny udp any eq rip any log
\naccess-list 100 deny udp any any eq rip log
\naccess-list 100 permit now begins your permits…if any<\/p><\/blockquote>\n
\n192.0.2.0 0.0.0.255 any log (range known to be used exploit default pw on WLA devices<\/em>)
\n4.0.0.0 0.255.255.255 any log (Known as Net-14, a Public use network, possibly used by attackers<\/em>)
\n69.254.0.0 0.0.255.255 any log (RFC2026 Link Local<\/em>)
\n198.18.0.0 0.0.255.255 any log (block for benchmark tests of network interconnect devices, RFC2544<\/em>)<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"