(RADIATOR) MAx TNT Filter -- Actual FILTER

Tue Aug 26 03:58:10 CDT 2003

All,

For those of you that rely on upsteam providers that have not put any
filters in place. I've come up with an Ascend-Data-Filter that seems to
work. I haven't had a chance to test is in full production, but it works
on all of my Ascend gear, so please test it before you use it.

It drops all icmp traffic into the NAS and out to the Internet. This
obviously causes some problems, but joeuser shouldn't know the
difference.

Does anyone have any comments?

Ascend-Data-Filter="ip in forward tcp est",
Ascend-Data-Filter="ip in forward dstip X.X.X.0/24",
Ascend-Data-Filter="ip in drop tcp dstport=25",
Ascend-Data-Filter="ip in drop tcp srcport = 135",
Ascend-Data-Filter="ip in drop tcp srcport=80",
Ascend-Data-Filter="ip in drop icmp",
Ascend-Data-Filter="ip in forward",
Ascend-Data-Filter="ip out drop tcp dstport = 135",
Ascend-Data-Filter="ip out drop icmp",
Ascend-Data-Filter="ip out forward"

Thanks,

Dave

-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Sean Watkins
Sent: Monday, August 25, 2003 9:23 PM
To: nanog at merit.edu
Cc: radiator at open.com.au
Subject: (RADIATOR) MAx TNT Filter -- Actual FILTER 

TNT Users:

Apologize: I know I am  posting to multiple lists, but multiple lists 
with Ascend users.. none so far have posted and numerous are asking for 
it...  Including myself! Hopefully recommendations will follow

After several hours of trial and error - after  I setup the recommended 
Cisco filters upstream from TNT equipment.

I have been constantly watching log entries, to find people blasting 
away with ICMP/UDP Port 135/ TCP Port 137 the most.

I have come up a filter, for the TNT:

new FILTER
set filter-name = pre-nachi2
set input-filters 1 valid-entry = yes
set input-filters 1 Type = ip-filter
set input-filters 1 ip-filter protocol = 6
set input-filters 1 ip-filter Dst-Port-Cmp = eql
set input-filters 1 ip-filter dest-port = 135
set input-filters 2 valid-entry = yes
set input-filters 2 Type = ip-filter
set input-filters 2 ip-filter protocol = 17
set input-filters 2 ip-filter Dst-Port-Cmp = eql
set input-filters 2 ip-filter dest-port = 137
set input-filters 3 valid-entry = yes
set input-filters 3 forward = yes
set input-filters 3 Type = ip-filter
set input-filters 3 ip-filter protocol = 1
set input-filters 3 ip-filter dest-address-mask = 255.255.255.255
set input-filters 3 ip-filter dest-address = X.X.X.X
set input-filters 4 valid-entry = yes
set input-filters 4 Type = ip-filter
set input-filters 4 ip-filter protocol = 1
set input-filters 5 valid-entry = yes
set input-filters 5 forward = yes
set input-filters 5 Type = ip-filter
write -f
;

This filter blocks UDP Port 135, tcp port 137, allows ICMP to X.X.X.X, 
drops all other ICMP, and then allows any other traffic out.

Basically, X.X.X.X is a machine here we can use to have customers ping 
us/ we ping them. This filter seems to work for 90% of people, but for 
unknown reasons, ICMP still seems to leak in. Any ideas?

I'm applying this filter to data under answer-defaults, session-info.

I've set iproute-cache-enable = no,

Disabled proxy arp... Everything. Still we are dropping packets at peak 
times left right and center for unknown reasons. show ip cache flow on 
upstream Cisco gear shows basically regular traffic.

Ideas/comments etc?

Sean

>
>
> ----- Original Message -----
> From: "Dave Birkbeck" <dbirkbeck at ikano.com>
> To: "'Tony Bunce'" <tonyb at go-concepts.com>; "'Sean Watkins 
> (northrock)'"
> <sean at northrock.bm>; <radiator at open.com.au>
> Sent: Monday, August 25, 2003 7:27 PM
> Subject: RE: (RADIATOR) MAx TNT & MSBlast
>
>
>> All,
>>
>> In addition to having the ACL's that Cisco recommends. Has anyone
come
>> up with a Radius ascend-data-filter that will slow down the spread of
>> these crazy viruses? Or better yet, a filter that will block ICMP.
>>
>> Again, I know this is probably not the list for this discussion, but
>> this topic is definitely for the greater good of the Internet.
>>
>> That being said does anyone know of a list that discusses various NAS
>> topics?

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.