; ; This is a modified filter portion of a Cisco configuration file, using a ; fictitious internal network number is 192.0.0. The network topology is as ; follows ; ; | ; ----------- ; | Gateway | ; ----------- ; Firewall Network | 10.1.1.1 ; |--------------------------------------------| ; | 10.1.1.2 | 0.0.0.0 ; ----------- ----------- ; | Gateway | | Argus | ; | | | Host | ; ----------- ----------- ; | 192.0.0.1 | 192.0.0.2 ; |--------------------------------------------| ; Internal Network ; ; ; Since the Argus data is captured on the external firewall network, violations ; are reported even though they are filtered successfully by the gateway. This ; proves as a good first alert mechanism for external attempts to violate the ; firewall policy. ; ; No source routeing through our gateway. ; no ip source-route ; ; Pass all icmp but remember, we won't see icmp scans (i.e. ping). This is ; done because icmp events can generate lots of data. ; access-list 102 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 ; ; Udp stuff: Permit domain, ntp, talk, and ntalk, deny all else. ; access-list 102 permit udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 53 access-list 102 permit udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 123 access-list 102 permit udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 517 access-list 102 permit udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 518 access-list 102 deny udp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 ; ; Tcp stuff: ; permit telnet to our "one time password" telnet host ; permit smtp to our mail host ; permit finger to our finger host ; permit nntp to our news host ; deny less then port 1023 ; deny X ; access-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.23 0.0.0.255 eq 23 access-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.25 0.0.0.255 eq 25 access-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.79 0.0.0.255 eq 79 access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.237.1.8 0.0.0.0 eq 119 access-list 102 deny tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 lt 1023 access-list 102 deny tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 2000 access-list 102 deny tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 eq 6000 access-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 lt 6000 access-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 gt 6100 access-list 102 deny tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255 gt 6000 access-list 102 permit tcp 0.0.0.0 255.255.255.255 192.0.0.0 0.0.0.255