[Karlnet] OT: Nimda blocking (was: Cisco bandwidth shaping)

["hfl-lists" <hfl-lists@stormcrows.com>]

On a related topic, may I suggest that everyone with a Cisco router at the
border of their network that is running IOS 12.x inlclude the following to
help prevent Nimda virus propogation:

class-map match-any http-hacks
  match protocol http url "*cmd.exe*"
  match protocol http url "*root.exe*"
  match protocol http url "*.ida*"
  match protocol http url "*readme.eml*"
policy-map drop-inbound-http-hacks
  class http-hacks
     police 10000000 31250 31250 conform-action drop exceed-action drop
violate-action drop

interface FastEthernet0/0
 ip address X.X.X.X 255.255.255.0
 duplex auto
 speed auto
 service-policy input drop-inbound-http-hacks
 fair-queue
#### please notice the "service-policy input drop-inbound-http-hacks"

I cannot claim credit for this one.. Cisco sent me an e-mail telling me how
to do it when Nimda first came around.. You would be surprised at how much
this thing blocks...



----- Original Message -----
From: "hfl-lists" <hfl-lists@stormcrows.com>
To: <karlnet@WISPNotes.com>
Sent: Tuesday, June 11, 2002 11:14 PM
Subject: OT: Cisco bandwidth shaping (WAS:Re: [Karlnet] Filtering GNUTela,
Morpheus, Kazaa, etc)


> To me the border is the place to filter.. to save you time here is the
> pertinent portions of a config I just did (this is IOS 12.2 by the way),
my
> comments are prefaced with ##.. E-mail me with questions.
>
> class-map match-any normal-priority
>   match access-group name normalpriority
> class-map match-any high-priority
>   match access-group name highpriority
> class-map match-any low-priority
>   match access-group name lowpriority
> ### ok here we are just defining some "classes" of service, for instance
the
> class "normal-priority" is ANYthing that matches the access-list named
> "normalpriority" which you will see below
> !
> policy-map shapetraffic
>   class high-priority
>    shape peak 1544000
>    bandwidth percent 40
>   class normal-priority
>    shape peak 10000000
>    bandwidth percent 40
>   class low-priority
>    shape peak 1544000
>    bandwidth percent 20
> ### here is where we define the actual policy for this.. we create a
policy
> called "shapetraffic" and then we put the three classes from above into it
> and assign each a bandwidth.  Notice that I have defined a PEAK value of a
> T1 to high-priority.. means IF the bandwidth is available this class is
> allowed to use UP TO 1.544mbps.  When that bandwidth is NOT available it
is
> GUARANTEED at LEAST 40% of the available bandwidth on whatever interface
> this policy is assigned to.  That means that if this one policy is
assigned
> to two T1s then it will have 2x(.40x1.544mbps) of bandwidth guaranteed to
it
> but never allowed more than 1.544mbps on ALL interfaces.  You can also see
> that I have defined a few numbers for the other two, normal (catch all
> really) and low which only gets 20% when bandwidth is constrained.
>
> !
> interface Serial1/0
>  description Serial To UUnet
>  bandwidth 1536
>  no ip address
>  no ip redirects
>  no ip proxy-arp
>  encapsulation frame-relay IETF
>  no ip mroute-cache
>  service-policy input drop-inbound-http-hacks
>  service-policy output shapetraffic
>  frame-relay lmi-type ansi
> ### ok here is where we apply the policy just so you can see it in context
I
> am leaving a bunch of other stuff in there.. the thing to see is the
> "service-policy output shapetraffic".  Can be applied to ANY interface
(not
> subinterfaces with the way I have this setup) but only on OUTPUT.. so if
you
> want it both ways, you need to put it on the ethernet interface too.
> !
> ### the following are the access lists for above.  high priority includes
> games, interactive sessions (such as telnet, SSH, Windows Remote Desktop,
> etc.)  Low includes the file sharing programs and smtp.
>
> ip access-list extended highpriority
>  permit tcp any any eq 22
>  permit tcp any any eq telnet
>  permit tcp any any eq 1494
>  permit udp any any eq 1604
>  permit udp any any eq 1701
>  permit udp any any eq 1723
>  permit tcp any any range 3230 3235
>  permit udp any any range 3230 3235
>  permit tcp any any eq 3389
>  permit tcp any any eq 4000
>  permit tcp any any eq 5631
>  permit udp any any eq 5632
>  permit tcp any any eq 6112
>  permit udp any any eq 6112
>  permit udp any any range 27000 29999
>  deny   ip any any
> ip access-list extended lowpriority
>  permit tcp any any eq nntp
>  permit tcp any any eq smtp
>  permit tcp any any eq 1214
>  permit tcp any any eq 6346
>  permit udp any any eq 6346
>  permit tcp any any eq 6699
>  deny   ip any any
> ip access-list extended normalpriority
>  deny   tcp any any eq nntp
>  deny   tcp any any eq smtp
>  deny   tcp any any eq 1214
>  deny   tcp any any eq 6346
>  deny   udp any any eq 6346
>  deny   tcp any any eq 6699
>  permit ip any any
>
>
> ----- Original Message -----
> From: "Bill Fisher" <fisher@akorn.net>
> To: <karlnet@WISPNotes.com>
> Sent: Tuesday, June 11, 2002 6:39 PM
> Subject: RE: [Karlnet] Filtering GNUTela, Morpheus, Kazaa, etc
>
>
> >
> > > where do you want to filter them?  At the AP?  Router?
> >
> > So this is a good question!  I know NOTHING about Cisco's OS.  I'm going
> to
> > change that this fall.  :)   I am using a 2610 as our border router
right
> > now.  I didn't know I could prioritize traffic on the Cisco.  So,
anything
> > you can say about that would be welcome (albeit off topic).
> >
> > Thanks
> >
> > Bill
> >
> > _______________________________________________
> > Karlnet mailing list
> > Karlnet@WISPNotes.com
> > http://lists.wispnotes.com/mailman/listinfo/karlnet
> >
>
> _______________________________________________
> Karlnet mailing list
> Karlnet@WISPNotes.com
> http://lists.wispnotes.com/mailman/listinfo/karlnet
>