Re: Cisco 2611 as a firewall?

[Jonathan Q <jq@example.com>]

sven@example.com (sven@example.com) wrote:

> For security I'm going to block basically all incoming port beside the
> he needs for the services he running locally. These are DNS, POP3,
> SMTP(not sure we wants to allow), Web, and SSH. Outgoing port wouldn't
> have to be blocked I believe.

Not much time to write now (I'll go into more detail tomorrow),
but for now,  NO.  An ISP cannot do this.  Your border
router has to let in everything.

Exception: you want to rate-limit ICMP (ping and traceroute). 
Rate-limiting it to 64 kbps would be reasonable.  Of course,
on a pipe that small, the good place to do this is at the
upstream's end.  Ask the upstream if they will rate-limit
ICMP to 64 kbps on their end of the link.  

Another quick thought: blocking outgoing port 25 is very
highly recommended.  If all ISPs did this, spam would be less
than 1/10 of what it is today.  It's a growing trend, but
not growing fast enough.

> I have little to no experience with Cisco routers, so where do I start,
> how can I accomplish all this and what do I have to be careful about?

This would be a good time to get someone who is
experienced and give that person money.  There are a ton of
things to consider that you may or may not be aware of.

Also, routers make lousy firewalls, anyway.
That's why Cisco sells firewalls, too.

More tomorrow,

Jonathan