Here is my Cisco access list which is configured to prevent outside access:
-----------------------------
Screening Router Access List:
-----------------------------


Note: All real ip addresses have been changed to the reserved 169.254.92.0 network.


! Beginning of access-list 101
!
! Deny rfc 1918 addresses:
!
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
!
! Deny packets with localhost, broadcast and multicast addresses:
!
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 224.0.0.0 7.255.255.255 any log
!
! Deny packets without ip address.
!
access-list 101 deny   ip host 0.0.0.0 any log
!
! Prevent spoofing. Deny incoming packets that have 
! our internal address:
!
access-list 101 deny   ip 169.254.92.0 0.0.0.255 any log
!
! More spoofing prevention. Insert ip address of external
! router interface ip address:
!
access-list 101 deny   ip host 169.254.8.78 any log
!
! If you run any listeners, NFS or Xwindows add those
! ports here.
!
! access-list 101 deny tcp any any eq 2000 log
! access-list 101 deny tcp any any eq 2001 log
! access-list 101 deny tcp any any eq 6000 log
! access-list 101 deny tcp any any eq 6001 log
!
! Allow only ACKed tcp packets to our network:
!
access-list 101 permit tcp any 169.254.92.0 0.0.0.255 gt 1023 established
!
! Allow only specific ICMP:
! http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
! http://www.worldgate.com/~marcs/mtu/
!
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 0  ! net-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 1  ! host-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 3  ! port-unreachable
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 4  ! packet-too-big
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 3 13 ! administratively-prohibited
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 4    ! source-quench
access-list 101 permit icmp any 169.254.92.0 0.0.0.255 11 0 ! ttl-exceeded
!
! Allow smtp traffic to mail servers only:
!
access-list 101 permit tcp any host 172.29.92.15 eq smtp
access-list 101 permit tcp any host 172.29.92.108 eq smtp
!
! Allow incoming dns traffic to name servers only:
! Note: Probably best to limit tcp domain traffic to specific servers.
!
access-list 101 permit tcp any host 169.254.92.15 eq domain log
access-list 101 permit tcp any host 169.254.92.13 eq domain log
access-list 101 permit udp any host 169.254.92.15 eq domain
access-list 101 permit udp any host 169.254.92.13 eq domain
!
! Allow ntp to time server:
! See: http://www.eecis.udel.edu/~ntp/
!
access-list 101 permit udp any eq 123 host 169.254.92.38 eq 123
!
! Allow incoming news traffic to nntp server only:
!
access-list 101 permit tcp any host 169.254.92.103 eq nntp
!
! For ftp clients:
! Not very secure. The alternative is to remove this and
! force clients into passive mode.
!
access-list 101 permit tcp any eq 20 169.254.92.0 0.0.0.255 gt 1023
!
! We deny ident. We're not sure if it's secure. Entry is here
! to keep log files from filling up:
!
access-list 101 deny   tcp any any eq 113
!
! Log everything that does not meet the above rules.
!
access-list 101 deny   ip any any log
!
! End of access-list 101


! Add this to external interface of screening router:
!
no ip directed-broadcast
no ip proxy-arp
no ip unreachables     ! Don't send icmp for denied items in access-list.
ntp disable
!
! Apply access list to external interface:
!
ip access-group 101 in
!
! Use this command if you want to see denied hosts while
! logged into the router. Use command:
! "show ip accounting access-violations"
!
! ip accounting access-violations

----------------
Outbound filter:
----------------

! Beginning of access-list 102
!
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
!
! Don't allow internal hosts to send icmp.
!
access-list 102 deny   icmp any any log
!
! Only allow packets from our network.
!
access-list 102 permit ip 169.254.92.0 0.0.0.255 any
!
! Log everything else:
!
access-list 102 deny   ip any any log
!
! End of access-list 102
!
! Apply access list 102 to outbound external interface
! or inbound on internal interface.

----------------------------------
Additional items to add to config:
----------------------------------

!
! Miscellaneous:
!
service password-encryption
service linenumber
no cdp run
no service finger
no service udp-small-servers
no service tcp-small-servers
no ip source-route
no ip bootp server
no ip http server
no ntp master
no ip domain-lookup    ! If you don't have a name server.
no logging console     ! Save cpu cycles.
logging buffered
!
! Cisco NTP information:
! http://www.cisco.com/univercd/cc/td/doc/product/software/ios11/sbook/ssysmgmt.htm
! http://www.cisco.com/warp/customer/105/30.html
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
clock timezone PST -8            ! My timezone.
clock summer-time zone recurring
ntp source e0                    ! My inside interface.
ntp update-calendar
ntp server 196.254.92.38         ! My Linux time server.
!
! VERY VERY IMPORTANT! Log everything to syslog!
!
logging 196.254.92.83
!
! Performance-related:
!
! IOS 11+
!
ip tcp path-mtu-discovery
!
! IOS 11.3+
!
ip tcp selective-ack

-----
SNMP:
-----

! Secure snmp with a community name other than public or private.
! Add access-list security.
!
snmp-server community secret RO 21
snmp-server trap-authentication
!
! Log router events to snmp trap host:
!
snmp-server enable traps config
snmp-server enable traps frame-relay
snmp-server host 169.254.92.83 secret
!
access-list 21 permit 169.254.92.83


---------------------------------
Secure vty (Telnet) and aux port:
---------------------------------

line aux 0
access-class 2 in
transport input all
line vty 0 4
access-class 1 in
password 7 xxxxxxxxxxxxx
login

!
! Add access-lists:
!
! Allow only specific hosts to telnet into router:
!
access-list 1 permit 169.254.92.39
!
! Block access to aux.
!
access-list 2 deny 0.0.0.0 255.255.255.255

------------------------------------
Mail report of router log to myself:
------------------------------------

Add UNIX cron job:
cat /var/log/messages |grep [routername]|sort +14 -15 |mail -s "Router Access List Log" me@mydoman.com


----------
Reference:
----------

Cisco Security Overview:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scoverv.htm

Information from CERT:

http://www.cert.org/ftp/tech_tips/packet_filtering





Frank Keeney, frank@pasadena.net

12.30.1998 12:10:04 AM

pasnetinc.gif (4346 bytes)


Wireless InsecurityMany wireless hardware and software Links: http://wireless.pasadena.net

Computer Security Conference