Imhol a működő konfig. Egy kis segítség azonban még elkelne.
A 130-as acl-el szeretném a LAN-ról kifele menő forgalmat szabályozni.
Konkrétan a minden porton lehet kifele jönni helyett a standard portokat engedném csak át (80,443,20,21,110 stb). Ez főleg a kliensekre beszedett worm-ok ellen lenne eredményes, mostanában sajnos volt ilyen több is. A 120-as acl-re is szívesen fogadnék észrevételt.
Köszi előre is!
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gw
!
boot-start-marker
boot-end-marker
!
logging buffered informational
enable secret 5 $1$.5LY$LOjrA5FvO.SX12cboXYL.0
!
no aaa new-model
no ip domain-lookup
ip subnet-zero
no ip source-route
ip name-server 195.xx.xx.xx
!
ip dhcp pool Home
network 192.168.0.0 255.255.255.0
default-router 192.168.0.251
netbios-node-type h-node
dns-server 82.144.160.116 82.144.160.179
lease infinite
!
no ip bootp server
ip cef
!
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 192.168.0.251 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip access-group 130 in
ip tcp adjust-mss 1412
no cdp enable
hold-queue 100 in
hold-queue 100 out
no shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
no shutdown
!
interface ATM0.1 point-to-point
description Layer2 connectivity
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 120 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1432
dialer pool 1
dialer-group 1
no keepalive
no cdp enable
ppp authentication chap pap callin
ppp chap hostname user@isp
ppp chap password user
!
ip nat inside source list 120 interface Dialer1 overload
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
ip access-list standard SNMP-ALLOWED
permit 192.168.0.10
deny any
!
logging 192.168.0.150
access-list 120 remark Allow public services
no access-list 120
access-list 120 permit tcp any eq 443 any
access-list 120 permit tcp any eq 1723 any
access-list 120 permit tcp any eq 2222 any
access-list 120 permit udp any eq 53 any
access-list 120 permit tcp any eq 80 any
access-list 120 permit tcp any eq 443 any
access-list 120 permit gre any any
access-list 120 permit icmp any any echo
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any source-quench
access-list 120 permit icmp any any packet-too-big
access-list 120 permit icmp any any time-exceeded
access-list 120 deny icmp any any log
access-list 120 permit icmp any any
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 permit ip any 192.168.0.0 0.0.0.255
access-list 120 deny ip any any log
access-list 130 remark internal net rules
access-list 130 permit tcp host 192.168.0.9 any eq smtp
access-list 130 deny tcp 192.168.0.0 0.0.0.255 any eq smtp log
access-list 130 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server community public RO 99
snmp-server enable traps tty
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 2 0
password 7 03065A07070223495C
login
transport preferred telnet
!
scheduler max-task-time 5000
end