pfSense Labs


Cacti Netflow Collector (Flowview) and Softflowd

Softflowd is flow-based network traffic analyser capable of Cisco NetFlow data export. Softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file. These flows may be reported via NetFlow to a collecting host or summarised within softflowd itself.

Softflowd supports Netflow versions 1, 5 and 9 and is fully IPv6-capable – it can track IPv6 flows and send export datagrams via IPv6. It also supports export to multicast groups, allowing for redundant flow collectors.

CCNA Security – Chapter 4 (ACLs Mitigating Attacks)

ACLs can be used as an antispoofing mechanism. Spoofing protection involves discarding traffic that has an invalid source address. As a rule, administrators should not allow any IP packets containing the source address of any internal hosts or networks inbound to a private network.
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any source-quench
access-list 112 permit icmp any any unreachable
access-list 112 deny icmp any any
access-list 112 permit ip any any
access-list 114 permit icmp any any echo
access-list 114 permit icmp any any parameter-problem
access-list 114 permit icmp any any packet-too-big
access-list 114 permit icmp any any source-quench
access-list 114 deny icmp any any
access-list 114 permit ip any any
no snmp-server
Many network administrators are unaware that IPv6 is enabled on most operating systems.
Dual-stacked hosts can configure themselves, and may be subject to rogue router advertisements (RAs).
Can exploit routing header (RH) to pivot using multiple hops.
Can exploit automatic tunnels to pivot unnoticed by firewalls and IPS.
ipv6 traffic-filter
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
object-group service eng_srv_group
icmp echo
tcp smtp
tcp telnet
tcp source range 1 65535 telnet
udp domain
tcp-udp range 2000 2005
group-object sjc_eng_svcs
ip access-list extended acl_policy
permit object-group eng_srv_group object-group eng_network_group any
deny tcp any any

CCNA Security – Chapter 4 (ACLs Standar-Extended)

packet filtering, stateful, application gateway (proxy), address-translation, host-based, transparent, and hybrid firewalls.

R2(config)#access-list ?
<1-99>            IP standard access list
<100-199>         IP extended access list
<1000-1099>       IPX SAP access list
<1100-1199>       Extended 48-bit MAC address access list
<1200-1299>       IPX summary address access list
<1300-1999>       IP standard access list (expanded range)
<200-299>         Protocol type-code access list
<2000-2699>       IP extended access list (expanded range)
<300-399>         DECnet access list
<600-699>         Appletalk access list
<700-799>         48-bit MAC address access list
<800-899>         IPX standard access list
<900-999>         IPX extended access list
dynamic-extended  Extend the dynamic ACL absolute timer
rate-limit        Simple rate-limit specific access list
access-list 1 permit host
access-list 1 permit
access-list 100 permit ip host host
access-list 100 permit tcp host host eq 80
R2(config-if)# ip access-group 100 in
ip access-list standard STANDAR-ACL
permit host
ip access-list extended EXTENDED-ACL
permit tcp host host established
The access-class extended ACL only supports the any keyword as the destination.
ip access-list extended PERMIT-ADMIN-LINE
permit tcp host any eq 22 log
deny ip any any
line vty 0 4
access-class PERMIT-ADMIN-LINE in
If using Cisco IOS Release 12.3 and later, sequence numbers can be used to ensure that ACEs are added in the correct location. The ACL is processed top-down based on the sequence numbers of the ACEs (lowest to highest).
Router-generated packets, such as routing table updates, are not subject to outbound ACL statements on the source router. If the security policy requires filtering these types of packets, inbound ACLs on adjacent routers or other router filter mechanisms using ACLs must do the filtering task.
the no parameter followed by the ACE will result in deleting the entire ACL.
On standard access lists, the Cisco IOS will add new entries by descending order of the IP address, regardless of the sequence number. Therefore, the sequence number in a standard ACL is used as an identifier of a specific ACE for deletion purposes.
All entries, regardless of the order in which they were entered, were placed in order of descending IP address, from specific to general.
INBOUND = Pre-Routing
OUTBOUND = Post-Routing
packet debugging captures the packets that are process-switched, including received, generated, and forwarded packets.