TNT Users: Apologize: I know I am posting to multiple lists, but multiple lists with Ascend users.. none so far have posted and numerous are asking for it... Including myself! Hopefully recommendations will follow After several hours of trial and error - after I setup the recommended Cisco filters upstream from TNT equipment. I have been constantly watching log entries, to find people blasting away with ICMP/UDP Port 135/ TCP Port 137 the most. I have come up a filter, for the TNT: new FILTER set filter-name = pre-nachi2 set input-filters 1 valid-entry = yes set input-filters 1 Type = ip-filter set input-filters 1 ip-filter protocol = 6 set input-filters 1 ip-filter Dst-Port-Cmp = eql set input-filters 1 ip-filter dest-port = 135 set input-filters 2 valid-entry = yes set input-filters 2 Type = ip-filter set input-filters 2 ip-filter protocol = 17 set input-filters 2 ip-filter Dst-Port-Cmp = eql set input-filters 2 ip-filter dest-port = 137 set input-filters 3 valid-entry = yes set input-filters 3 forward = yes set input-filters 3 Type = ip-filter set input-filters 3 ip-filter protocol = 1 set input-filters 3 ip-filter dest-address-mask = 255.255.255.255 set input-filters 3 ip-filter dest-address = X.X.X.X set input-filters 4 valid-entry = yes set input-filters 4 Type = ip-filter set input-filters 4 ip-filter protocol = 1 set input-filters 5 valid-entry = yes set input-filters 5 forward = yes set input-filters 5 Type = ip-filter write -f ; This filter blocks UDP Port 135, tcp port 137, allows ICMP to X.X.X.X, drops all other ICMP, and then allows any other traffic out. Basically, X.X.X.X is a machine here we can use to have customers ping us/ we ping them. This filter seems to work for 90% of people, but for unknown reasons, ICMP still seems to leak in. Any ideas? I'm applying this filter to data under answer-defaults, session-info. I've set iproute-cache-enable = no, Disabled proxy arp... Everything. Still we are dropping packets at peak times left right and center for unknown reasons. show ip cache flow on upstream Cisco gear shows basically regular traffic. Ideas/comments etc? Sean
----- Original Message ----- From: "Dave Birkbeck" <dbirkbeck@ikano.com> To: "'Tony Bunce'" <tonyb@go-concepts.com>; "'Sean Watkins (northrock)'" <sean@northrock.bm>; <radiator@open.com.au> Sent: Monday, August 25, 2003 7:27 PM Subject: RE: (RADIATOR) MAx TNT & MSBlast
All,
In addition to having the ACL's that Cisco recommends. Has anyone come up with a Radius ascend-data-filter that will slow down the spread of these crazy viruses? Or better yet, a filter that will block ICMP.
Again, I know this is probably not the list for this discussion, but this topic is definitely for the greater good of the Internet.
That being said does anyone know of a list that discusses various NAS topics?