Security Basics mailing list archives
RE: deny access
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 30 Nov 2004 13:19:10 -0800
Well, as an alternative to "Block one IP AND block everything else", I think it's preferable.... He didn't ask how to secure his network, he asked how to block that one IP. David Gillett
-----Original Message----- From: James McGee [mailto:james () infosec co im] Sent: Tuesday, November 30, 2004 12:56 PM To: gillettdavid () fhda edu; 'Carlos Garcia'; 'Agarwal, Ankur'; security-basics () securityfocus com Subject: RE: deny access Errr.. I think you've just told him to block one IP but allow everyone else..... Not wise in my opinion.... -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: 29 November 2004 18:21 To: 'Carlos Garcia'; 'Agarwal, Ankur'; security-basics () securityfocus com Subject: RE: deny accessaccess-list 101 deny ip host 216.212.33.185 anyaccess-list 101 deny ip 216.212.33.185 255.255.255.255 anyFirst of all, these two forms are exactly the same rule; "host x.x.x.x" is the same as "x.x.x.x 255.255.255.255" in an access list. Secondly, though, every access list has an implicit "deny ip any any" tacked onto the end, so if that line is your whole access list then it will block ALL traffic. You need a second line access-list 101 permit ip any any to allow all traffic not blocked by the first line to flow. Thirdly, I'm guessing that this hasn't yet blocked any traffic, because although you've defined an access list, you haven't yet attached it to a port and direction. You need to add ip access-group 101 in to the configuration of your WAN/Internet interface. David Gillett-----Original Message----- From: Carlos Garcia [mailto:carlosg () cabonet net mx] Sent: Thursday, November 25, 2004 6:41 PM To: Agarwal, Ankur; security-basics () securityfocus com Subject: Re: deny access ok i just write access-list 101 deny ip host 216.212.33.185 any is this ok? i put too access-list 101 deny ip 216.212.33.185 255.255.255.255 any... and can somebody tell me how to improve this, i run someservers and iwant to protec them mail, web,dns,proxy's where can i finda list sothat it helps me how to configure the router to support QoSi need itfor VoIP service??? thanks for all the help Atte. Carlos A. Garcia G. Cabonet Staff Tel (624) 14 30120 ----- Original Message ----- From: "Agarwal, Ankur" <Ankur.Agarwal () colt-telecom com> To: "'Carlos Garcia'" <carlosg () cabonet net mx>; <security-basics () securityfocus com> Sent: Thursday, November 25, 2004 7:17 PM Subject: RE: deny accessHI Simply create an deny access list to block this IP. Access-list 101 deny ip source ip destination ip Thanks & Regards, ___________________________________________________ Ankur Agarwal One Dial : 8-911-7428 Tel : +91 124 5157000 (Ext. 2272) *Cell : +91 9810702016 COLT India ankur.agarwal () colt-telecom com ___________________________________________________ -----Original Message----- From: Carlos Garcia [mailto:carlosg () cabonet net mx] Sent: 25 November 2004 04:58 To: security-basics () securityfocus com Subject: deny access newbie question how can i block this ip 216.212.33.185 ihave a cisco 7200this ip is trying to send mail with my server, i did notconfigure therouter so i dont know how to do this any help? Atte. Carlos A. Garcia G. Cabonet Staff Tel (624) 14 30120************************************************************** ***********************The message is intended for the named addressee only andmay not bedisclosed to or used by anyone else, nor may it be copiedin any way.The contents of this message and its attachments areconfidential and mayalso be subject to legal privilege. If you are not thenamed addresseeand/or have received this message in error, please adviseus by e-mailingsecurity () colt net and delete the message and anyattachments withoutretaining any copies. Internet communications are not secure and COLT does not accept responsibility for this message, its contents norresponsibility for anyviruses. No contracts can be created or varied on behalf of COLT Telecommunications, its subsidiaries or affiliates ("COLT")and any otherparty by email Communications unless expressly agreed inwriting with suchother party. Please note that incoming emails will be automatically scanned to eliminate potential viruses and unsolicited promotionalemails. For moreinformation refer to www.colt.net or contact us on +44(0)207390 3900.
Current thread:
- Re: deny access, (continued)
- Re: deny access GuidoZ (Nov 27)
- RE: deny access dave kleiman (Nov 27)
- RE: deny access David Gillett (Nov 29)
- Re: deny access Carlos Garcia (Nov 27)
- Re: deny access GuidoZ (Nov 29)
- Message not available
- Re: deny access GuidoZ (Nov 30)
- Re: deny access GuidoZ (Nov 30)
- Re: deny access GuidoZ (Nov 29)
- RE: deny access David Gillett (Nov 30)
- RE: deny access James McGee (Nov 30)
- RE: deny access James McGee (Nov 30)