Consiglio sicurezza su un 837

[thesalex]

Ciao a tutti, grazie alla funzione cerca di questo forum sono riuscito
a configurarmi un 837 su una adsl con ip dinamico.

Quello che mi resta difficile è come attivare la funzione firewall.
Dovrei cominciare tipo con:

ip inspect max-incomplete high value 500
ip inspect max-incomplete low 400
ip inspect one-minute high 500
ip inspect one-minute low 400
ip inspect tcp max-incomplete host 50

è giusto? sono valori accettabili considenrando che potrei utilizzare emule o gaming on line? se no, quali dovrei aumentare o diminuire?

poi dovrei inserire delle access list, così va bene?

access-list 101 permit any any eq 37682
access-list 101 permit any any eq 7174
access-list 101 permit any any eq 1723
access-list 101 permit any any eq gre
access-list 101 deny any any

interface dialer0
ip access-group 101 in



questa è la mia conf attuale:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret xxxxxxxxxxxx
enable password xxxxxxxxxx
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default if-authenticated
!
aaa session-id common
!
!
ip cef
ip name-server 151.99.125.2
ip name-server 151.99.125.3
ip name-server 212.216.112.11
ip ddns update method DynDNS
HTTP
add http://xxxxxx:[email protected] ... h>&myip=<a>
interval maximum 26 0 0 0
interval minimum 0 13 0 0
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
username xxxxxxx password 0 xxxxxxx
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Ethernet0
peer default ip address pool VPN_POOL
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
interface Dialer0
ip ddns update hostname xxxxxx.dyndns.org
ip ddns update DynDNS host xxxxxx.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxx
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxxxx password 0 xxxxxx
!
ip local pool VPN_POOL 192.168.1.200 192.168.1.210
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
!
ip nat translation port-timeout tcp 37682 10
ip nat translation port-timeout udp 7174 10
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.10 37682 interface Dialer0
ip nat inside source static udp 10.0.0.10 7174 interface Dialer0 7174
!
access-list 1 permit 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxx

scheduler max-task-time 5000
end

[Wizard]

Per l'ip inspcet prova come dici tu ma manca la configurazione dei protocolli da inspezionare...!

[thesalex]

così ci siamo? manca qualcosa?

ip inspect tcp
ip inpeect udp
ip inspect max-incomplete high value 500
ip inspect max-incomplete low 400
ip inspect one-minute high 500
ip inspect one-minute low 400
ip inspect tcp max-incomplete host 50

access-list 101 permit tcp any eq 37682
access-list 101 permit udp any eq 7174
access-list 101 permit tcp any eq 1723
access-list 101 permit any any eq gre
access-list 101 deny ip any any

interface dialer0
ip access-group 101 in

[Wizard]

A parte che la sintassi x l'ip inspect non è corretta il senso lo ho capito e va bene!
Se hai la versione plus della ios configura anche IPS