Re: deny access

• Previous message: Dante Mercurio: "RE: Statistics"
• In reply to: Paris E. Stone: "RE: deny access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 6 Dec 2004 14:20:09 -0500
To: "Paris E. Stone" <pstone@alhurra.com>

This was well written....

> And, technically speaking,
>
> "access-list 101 deny ip source ip destination ip"
>
> is the correct syntax, but the information he didn't get was:
>
> There is an implicit "deny any any" in all Cisco ACLs, which means a 1
> line ACL to block one host would effectively block all hosts.
> &
> ACL built, but it still needs bound
>
> From interface config mode,
>
> "ip access-group 101 in interface "
>
> is the second part of the equation.
> &
> If there are no ACLs now, make it a two liner, the deny line, and:
> access-list 101 permit ip any any

Again, well said. This was the point I was trying to make by saying
"Don't just give the answer because it could lead to trouble later".
Carlos needs to LEARN more about his device BEFORE trying to secure it
and make changes. Otherwise he'll just be more lost and possibly
create more problems.

I would be the first one to lend a hand (and have done so off-list),
however you (as in everyone) needs to use judgement when dealing with
such things. Factor in all values before coming to a soution. Again, I
have explained how and why I said and did what I did.

--
Peace. ~G
On Tue, 30 Nov 2004 19:51:46 -0500, Paris E. Stone <pstone@alhurra.com> wrote:
> ~Begin Chastise~
> He posted to the SECURITY-BASICS mailing list.
> That would pretty much "determine the correct level of help" in my mind.
> ~End Chastise~
> ~
> ~Begin pathetic attempt at help~
> 
> And, technically speaking,
> 
> "access-list 101 deny ip source ip destination ip"
> 
> is the correct syntax, but the information he didn't get was:
> 
> There is an implicit "deny any any" in all Cisco ACLs, which means a 1
> line ACL to block one host would effectively block all hosts.
> &
> ACL built, but it still needs bound
> 
> From interface config mode,
> 
> "ip access-group 101 in interface "
> 
> is the second part of the equation.
> &
> If there are no ACLs now, make it a two liner, the deny line, and:
> access-list 101 permit ip any any
> 
> ~End pathetic attempt at help~
> 
> My .02
> 
> 
> 
> -----Original Message-----
> From: richardw [mailto:richardw@area52.allserve.net]
> Sent: Monday, November 29, 2004 11:11 PM
> To: GuidoZ
> Cc: Carlos Garcia; Agarwal, Ankur; security-basics@securityfocus.com
> Subject: Re: deny access
> 
> Everyone, I want to take this opportunity to apologize for Guido.
> Carlos, if you still need help, email me off the list, and we'll help
> get squared away.
> 
> Saludos,
> 
> Richard
> 
> GuidoZ wrote:
> > This is why I said it was better for him to find the answers on his
> > own, and not just tell him the ACL format. Otherwise it's very likely
> > that something will get messed up and he won't be able to fix it, or
> > ask questions online. ;)
> >
> > Think about things before you act everyone. There is certainly nothing
> > wrong with helping out someone in need, although, you must determine
> > the correct level of help.
> >
> > --
> > Peace. ~G
> >
> >
> > On Thu, 25 Nov 2004 19:40:40 -0700, Carlos Garcia
> > <carlosg@cabonet.net.mx> wrote:
> >
> >>ok i just write
> >>access-list 101 deny ip host 216.212.33.185 any is this ok?
> >>i put too
> >>access-list 101 deny ip 216.212.33.185 255.255.255.255 any...
> >>and can somebody tell me how to improve this, i run some servers and i
> want
> >>to protec them
> >>mail, web,dns,proxy's where can i find a list so that it helps me how
> to
> >>configure the router to support QoS i need it for VoIP service???
> thanks for
> >>all the help
> >>
> >>Atte.
> >>Carlos A. Garcia G.
> >>Cabonet Staff
> >>Tel (624) 14 30120
> >>
> >>
> >>----- Original Message -----
> >>From: "Agarwal, Ankur" <Ankur.Agarwal@colt-telecom.com>
> >>To: "'Carlos Garcia'" <carlosg@cabonet.net.mx>;
> >><security-basics@securityfocus.com>
> >>Sent: Thursday, November 25, 2004 7:17 PM
> >>Subject: RE: deny access
> >>
> >>
> >>>HI
> >>>Simply create an deny access list to block this IP.
> >>>
> >>>Access-list 101 deny ip source ip destination ip
> >>>
> >>>
> >>>
> >>>Thanks & Regards,
> >>>
> >>>___________________________________________________
> >>>Ankur Agarwal
> >>>
> >>>
> >>>
> >>>One Dial : 8-911-7428
> >>>Tel : +91 124 5157000 (Ext. 2272)
> >>>*Cell : +91 9810702016
> >>>
> >>>
> >>>
> >>>COLT India
> >>>ankur.agarwal@colt-telecom.com
> >>>
> >>>___________________________________________________
> >>
> >>
> >>>
> >>>
> >>>-----Original Message-----
> >>>From: Carlos Garcia [mailto:carlosg@cabonet.net.mx]
> >>>Sent: 25 November 2004 04:58
> >>>To: security-basics@securityfocus.com
> >>>Subject: deny access
> >>>
> >>>
> >>>newbie question how can i block this ip 216.212.33.185 i have a cisco
> 7200
> >>>this ip is trying to send mail with my server, i did not configure
> the
> >>>router so i dont know how to do this any help?
> >>>
> >>>
> >>>Atte.
> >>>Carlos A. Garcia G.
> >>>Cabonet Staff
> >>>Tel (624) 14 30120
> >>>
> >>>
> >>>
> >>>*********************************************************************
> ****************
> >>>The message is intended for the named addressee only and may not be
> >>>disclosed to or used by anyone else, nor may it be copied in any way.
> >>>
> >>>The contents of this message and its attachments are confidential and
> may
> >>>also be subject to legal privilege.  If you are not the named
> addressee
> >>>and/or have received this message in error, please advise us by
> e-mailing
> >>>security@colt.net and delete the message and any attachments without
> >>>retaining any copies.
> >>>
> >>>Internet communications are not secure and COLT does not accept
> >>>responsibility for this message, its contents nor responsibility for
> any
> >>>viruses.
> >>>
> >>>No contracts can be created or varied on behalf of COLT
> >>>Telecommunications, its subsidiaries or affiliates ("COLT") and any
> other
> >>>party by email Communications unless expressly agreed in writing with
> such
> >>>other party.
> >>>
> >>>Please note that incoming emails will be automatically scanned to
> >>>eliminate potential viruses and unsolicited promotional emails. For
> more
> >>>information refer to www.colt.net or contact us on +44(0)20 7390
> 3900.
> >>>
> >>>
> >>
> >>
> 
> --
> ------------------------------------------------------------------------
>    ____/\___  |                                     | "If you can't beat
>    ___/__\__) |              richardw               | them, then they're
>   (__/    \__ | mailto:richardw!area52.allserve.net | not tied down good
>     /      \  |                                     | enough..."
> ------------------------------------------------------------------------
> 
>

• Previous message: Dante Mercurio: "RE: Statistics"
• In reply to: Paris E. Stone: "RE: deny access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]