Cisco 827 Firewall QoS

[kattivo]

Salve, sono alle prime armi con questo Cisco,
Sono riuscito a configurarlo a dovere per la connesionne, Ora stavo cercando in rete qualcosa per renderlo piu sicuro.. Ma ho trovato un casino di documentazione che non fa a mio caso!

Le cose che mi interessano a me, sarebbero', Droppare gl'attacchi DOS, fare in modo che il cisco accetti solo i pacchetti in entrata richiesti dalla Lan (Credo sia un buon sistema per evitare attacchi Dos, ora non so se puo' portare a svantaggi della connession, per questo volevo un vostro consiglio), QoS voglio dare delle priorità a certi servizi sulla rete, tipo avendo l'emule su, voglio che diminuisca il traffico a l'emule quando viene rieschiesto un servizio tipo: VNC, HTTP 80.. Come posso aggiungere Queste regole al mio cisco?

Vi posto il mio file di conf attuale:

Codice: Seleziona tutto

Cisco827#show running-config
Building configuration...

Current configuration : 2245 bytes
!
version 12.2
service config
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco827
!
enable secret 5 $1$DA8G$xsvecs/C0L04zpk2XWQUv.
enable password 7 011701105700071B35455806
!
no ip subnet-zero
ip name-server 212.216.112.222
ip dhcp excluded-address 192.168.0.245
ip dhcp excluded-address 192.168.0.100
!
ip dhcp pool nomepool
   network 192.168.0.0 255.255.255.0
   domain-name digitalsnc.it
   default-router 192.168.0.245
   dns-server 212.216.112.222 151.99.125.2
   lease infinite
!
!
!
!
interface Ethernet0
 ip address 192.168.0.245 255.255.255.0
 ip nat inside
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 ip nat outside
 atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer0
 description ADSL CISCO ROUTER
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp pap sent-username venomteam2 password 7 144640585D5679
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.135 22 interface Dialer0 22
ip nat inside source static tcp 192.168.0.245 23 interface Dialer0 23
ip nat inside source static tcp 192.168.0.100 5900 interface Dialer0 5900
ip nat inside source static tcp 192.168.0.100 1050 interface Dialer0 1050
ip nat inside source static udp 192.168.0.100 1055 interface Dialer0 1055
ip nat inside source static tcp 192.168.0.135 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.10 5500 interface Dialer0 5500
ip nat inside source static udp 192.168.0.10 5555 interface Dialer0 5555
ip nat inside source static tcp 192.168.0.10 4711 interface Dialer0 4711
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
logging facility local3
logging 192.168.0.100
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 deny   icmp any any echo
no cdp run
snmp-server community public RO
snmp-server community catchme RO
snmp-server trap-source Ethernet0
snmp-server host 192.168.0.100 catchme
!
line con 0
 exec-timeout 0 0
 stopbits 1
line vty 0 4
 password 7 03570858525C72
 login
!
no scheduler max-task-time
end

[Wizard]

ip icmp rate-limit unreachable 1000
ip inspect max-incomplete high 400
ip inspect max-incomplete low 300
ip inspect one-minute high 500
ip inspect one-minute low 300
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 0
ip inspect name IDS-IN tcp timeout 3600
ip inspect name IDS-IN udp
ip inspect name IDS-IN icmp
ip inspect name IDS-IN ftp
ip inspect name IDS-IN http timeout 3600
ip inspect name IDS-IN https timeout 3600
ip inspect name IDS-IN dns
ip inspect name IDS-IN echo
ip inspect name IDS-IN microsoft-ds

ip ips sdf location disk2:attack-drop.sdf
ip ips name IPS
Router(config-if)# ip ips IPS in

*************************************************************
access-list 131 remark *** ACL PER CONTROLLARE DNS SERVER ***
access-list 131 remark *************************************************************
access-list 131 permit udp host 151.1.1.1 eq domain any
access-list 131 permit udp host 151.99.125.1 eq domain any
access-list 131 permit udp host 151.99.125.2 eq domain any
access-list 131 permit udp host 151.99.125.3 eq domain any
access-list 131 deny udp any eq domain any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER TRAFFICO VPN ***
access-list 131 remark *************************************************************
access-list 131 permit esp any any
access-list 131 permit udp any any eq isakmp
access-list 131 permit udp any any eq 4500
access-list 131 permit udp any eq 500 any
access-list 131 permit udp any eq 4500 any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ATTACCO EXTREME UDP FLOODING **
access-list 131 remark *************************************************************
access-list 131 deny udp any any eq 5000
access-list 131 deny udp any eq 5000 any eq 5000
access-list 131 deny udp any eq 5000 any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 remark *************************************************************
access-list 131 deny ip host 0.0.0.0 any
access-list 131 deny ip 127.0.0.0 0.255.255.255 any
access-list 131 deny ip 192.0.2.0 0.0.0.255 any
access-list 131 deny ip 224.0.0.0 31.255.255.255 any
access-list 131 deny ip 10.0.0.0 0.255.255.255 any
access-list 131 deny ip 172.16.0.0 0.15.255.255 any
access-list 131 deny ip 192.168.0.0 0.0.255.255 any
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER PERMETTERE CONNESSIONI ESTABILISHED ***
access-list 131 remark *************************************************************
access-list 131 permit tcp any any gt 1023 established
access-list 131 permit udp any any gt 1023
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 remark *************************************************************
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny icmp any any redirect
access-list 131 deny icmp any any information-reply
access-list 131 deny icmp any any information-request
access-list 131 deny icmp any any mask-reply
access-list 131 deny icmp any any mask-request
access-list 131 deny icmp any any fragments
access-list 131 deny icmp any any net-tos-redirect
access-list 131 deny icmp any any ttl-exceeded
access-list 131 deny icmp any any source-route-failed
access-list 131 deny icmp any any
access-list 131 remark ***************************************************************
access-list 131 remark *** ACL PER BLOCCARE L'ACCESSO A VIRUS E ATTACCHI ***
access-list 131 remark *************************************************************
access-list 131 deny tcp any any eq 135
access-list 131 deny udp any any eq 135
access-list 131 deny udp any any eq netbios-ns
access-list 131 deny udp any any eq netbios-dgm
access-list 131 deny tcp any any eq 139
access-list 131 deny udp any any eq netbios-ss
access-list 131 deny tcp any any eq 445
access-list 131 deny tcp any any eq 593
access-list 131 deny udp any any eq 1433
access-list 131 deny udp any any eq 1434
access-list 131 deny udp any any eq 5554
access-list 131 deny udp any any eq 9996
access-list 131 deny udp any any eq 113
access-list 131 deny udp any any eq 3067
access-list 131 remark *************************************************************
access-list 131 remark *** ACL PER BLOCCARE ACCESSI NON AUTORIZZATI ***
access-list 131 remark *************************************************************
access-list 131 deny ip any any
access-list 131 remark *************************************************************

[MrDish]

Se alla fine di una regola scrivi "deny ip any any" allora puoi scrivere "prima" solo i permit, così giusto pechè tutto ciò che non è permit è deny, e non scrivi un km di regole (che forse pesano sulla ram del router).

[Wizard]

Se voglio loggare i match di precise ACL devo per forza metterle!
Anche se sono dei deny!