Cisco Internet Outbound Access List

The following is a commented example of an Access List configuration for a router that acts as a "choke" device on the inside or outside of a true firewall device. The ! signifies a commented line in Cisco's notation. Non-commented lines are the actual configuration syntax as it would be entered on the Cisco router.

The information supplied in this configuration is in no way guaranteed or supported by the author to "secure" your network. This is meant to provide an example of generally accepted configuration practices when securing routers that provide access to untrusted networks.

This access-list should be applied inbound on your choke router to what is considered your internal or inside interface. In most cases, this will be some sort of ethernet interface. This filters traffic that is going towards the Internet or untrusted network "inbound on that interface.

DISCLAIMER
 
No Warranty of any kind is expressed or implied with respect to the information contained in this document!
The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.
Use this information at your own risk!
 
Scott S. 2010

! Deny RFC 1918 private source addresses and other reserved address space from 
! going outbound. It is not wise to let packets leak outside your network with 
! your internal address information. 
! This is the primary way that hackers learn about the configuration of private 
! networks. These packets can not be responded to anyway, since these networks are 
! not routable on the Internet. They would only be reachable if you are using NAT on a 
! device beyond this point in the network to translate to a publicly routable address.
!
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 224.0.0.0 15.255.255.255 any log-input

! Keep any errant request for private addresses inside your network
! Just in case your internal routing table for some reason does not contain a route 
! that should be internal, and clients follow your default route toward the Internet 
! for requests that should stay inside your network. This is another way that hackers 
! can find out about your internal network is watching for internal requests that 
! accidentally get routed out to a public device that they can capture traffic from.
!
deny ip any 0.0.0.0 0.255.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
deny ip any 127.0.0.0 0.255.255.255 log-input
deny ip any 169.254.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 192.168.0.0 0.0.255.255 log-input
deny ip any 224.0.0.0 15.255.255.255 log-input

! Deny all netbios traffic going outbound since this is one of the top 3 most hacked
! or attacked protocols on the Internet. Users should not access netbios services on 
! the Internet since it can very easily compromise NT Domain security and architecture.
!
deny   udp any any eq netbios-ns
deny   udp any any eq netbios-dgm
deny   udp any any eq netbios-ss

! Permit everything else from the "internal network". If you are not 
! using CBAC, then you may want to use the reflexive access list commands 
! to build a dynamic access-list and only permit inbound the necessary 
! traffic that you have initiated requests for. If you are using CBAC 
! inspection outbound towards the Internet than there is no need for 
! reflexive access-lists as this is automatically handled by CBAC. You 
! will still need to have a permit statement to allow your client traffic 
! outbound, just don't include the reflect option and subsequent 
! parameters. 
!
! The reflexive ACL command allows all other traffic to pass through the 
! interface and uses the IOS feature set to build a dynamic access list 
! for return traffic coming inbound from the Internet. That way a command 
! can be appended to an inbound access list to evaluate inbound packets 
! against "allowed" return traffic to sessions started from inside your 
! network.
!
! *WARNING* This command is CPU and memory intensive on your router depending on the 
! volume of traffic flowing through the interface. I recommend at least a 2610 series 
! router with 32MB RAM minimum to support a full T-1 with this configuration.
!
permit ip <network address> <wildcard> any reflect alliptraffic timeout 120
deny ip any any log

! If this router is not being used as a firewall but more for just a choke device
! to enhance the security in front of or behind a firewall the following commands should
! replace the above commands... You should specifically define your networks that should 
! be allowed to go outbound and then deny everything else explicitly.
!
permit ip <network address> <wildcard> any
deny ip any any log