On Sun, 17 Apr 2005 13:28:21 +0200 Kim Onnel <karim.adel@gmail.com> wrote:
I have the ACL below applied on many network devices to block the common worms ports,
Beware, you are guaranteed to be blocking other, legitimate things too with some of these rules. More below.
ip access-list extended worms deny tcp any any eq 5554
Whatever worm you're trying to mitigate above (sasser?), you will also be occasionally be taking out TCP sessions that happen to be using that port. Most commonly where one side uses 5554 as it's ephemeral port.
deny tcp any any range 135 139 deny udp any any range 135 netbios-ss deny tcp any any eq 445 deny udp any any eq 1026
Similar as before, you are going to be removing some legitimate traffic. With UDP ephemeral ports this may most likely be DNS and NTP traffic. Note, many people do what you do all the time to the detriment of both real security and robustness in my opinion, but it's your net and you can throw away random packets if you want to. Perhaps set the rules to permit and log first, let it run for awhile and then see what you'll be missing. John