Weird entry in log on 871w

phantasm

*Mar 15 00:07:56.574: %SEC-6-IPACCESSLOGDP: list FW_In denied icmp 0.0.0.0 -> x.x.x.x (3/0), 1 packet


I x'd out my IP, but I just saw that in the log file. Now I'm a bit paranoid anyway because I removed CBAC off my WAN Interface due to the fact that it choked my connection down to 500k from 7MB. So right now I'm running an ACL to filter incoming traffic. I'm not happy, but I can't get that dang established keyword to work.

This is what I have....

ip access-list extended FW_In
deny tcp any any eq 22 log
deny tcp any any eq telnet log
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any any eq 593
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny icmp any any echo
deny icmp any any redirect
deny icmp any any mask-request
deny icmp any any fragments
permit udp any eq ntp any eq ntp log
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit ip any any


Any recomendations?

tndfr

phantasm wrote: »

*Mar 15 00:07:56.574: %SEC-6-IPACCESSLOGDP: list FW_In denied icmp 0.0.0.0 -> x.x.x.x (3/0), 1 packet


I x'd out my IP, but I just saw that in the log file. Now I'm a bit paranoid anyway because I removed CBAC off my WAN Interface due to the fact that it choked my connection down to 500k from 7MB. So right now I'm running an ACL to filter incoming traffic. I'm not happy, but I can't get that dang established keyword to work.

This is what I have....

ip access-list extended FW_In
deny tcp any any eq 22 log
deny tcp any any eq telnet log
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny tcp any any eq 445
deny tcp any any eq 593
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny icmp any any echo
deny icmp any any redirect
deny icmp any any mask-request
deny icmp any any fragments
permit udp any eq ntp any eq ntp log
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit ip any any


Any recomendations?

for the established keyword to work you need the 3 way handshake to be carried out first, so you have to allow 3 packets in/out and the established line of an ACL should be way down.

from experience, it would not work if you put the established keyword at the begining of the ACL ( think 3 way handshake using packets SYNC ACK SYNC)

just a suggestion: wouldn't it be better to only allow what you want with an implicit deny at the end rather than deny every single port/network?.

phantasm

tndfr wrote: »

for the established keyword to work you need the 3 way handshake to be carried out first, so you have to allow 3 packets in/out and the established line of an ACL should be way down.

from experience, it would not work if you put the established keyword at the begining of the ACL ( think 3 way handshake using packets SYNC ACK SYNC)

just a suggestion: wouldn't it be better to only allow what you want with an implicit deny at the end rather than deny every single port/network?.

I agree with you. I blocked those specific ports because they came up in a port scan. I'd like to make it harder to get through... but everything I've tried with that established keyword doesn't work. It's the bane of my existance. lol.

phantasm

I said the hell with it and loaded the SDM to do the firewall configuration.

Weird thing is, in Windows I get 6MB down, in Linux I get 500k down. lol.