Free IOS Script: Attempting To Use Cisco 861 To Mitigate Hacking.

While attempting to compete in the job market, I found I was getting killed on the Internet.  At its peak, the intrusions attempts amounted to about 82 unique IP's in a little more than 60 minutes, which disregards the possibility there were also other non-IP protocols and disregards the multiplicity of concurrent attack attempts.  Obviously, when I realized I couldn't keep pace with the hackers, I pulled the plug.  


The Windows script I wrote and posted earlier held but the routers did not.  I had two Netgear routers and a Cradlepoint router, in-line, and as a last resort I broke out the Cisco 861 and wrote a script for it.  I had been planning to wait until after my Cisco certification but life doesn't always happen the way you plan it

The script (below) makes note that most of the hacking comes from AfriNIC, APNIC, LacNIC RIPE and IANA IP's, so it blocks them.  I'm not suggesting that anyone in China knows about or cares about my network.  I do think that people use VPN's to do their dirty hacking work.  The VPN's are cheap and they allow people to be aggressive with impunity and anonymously (much as cars facilitate peoples' road rage).

Blocking those foreign IP's simply brought the hackers in through ARIN IP's, some more than others as noted in the script itself. 

The script blocks some IP's in and out, while it blocks others just inbound.  People may choose other IP ranges, protocols, ports, other permissions and so on, but hopefully this will serve as a framework for a script should someone find themselves in a similar situation and too technically challenged to implement a Cisco router.

What the Cisco router offers that is unique is an option for "no source routing".  Loose source routing seems to be a preferred hackers' tool, allowing them to get otherwise un-routeable IP's across the Internet, among other things.  The Cisco router is a tool for those of us who don't care to get involved in hacking but who also don't care to have to reload Windows just so some geek can go home giggling himself silly.

Yes, this is the first time I've written a firewall in IOS, so constructive comments would be appreciated.  It is intended that the user set up the firewall using Cisco Express before loading this script into the router.  The 110 and 120 access-lists (one protocol, one direction, one port, one access-list) should add themselves to the Cisco-Express configured 100 and 101 access lists, if I understand correctly.



It's also important to note that, even with the Cisco Express firewall and optional security features, in addition to this script, in line with two Netgear routers and a Cradlepoint router, the hackers bricked both Netgear routers and the Cradlepoint router too, and they managed to change the level 15 password on the Cisco router from the WAN side (I'm guessing they logged in as a Cisco service account), so this is not a complete answer, just maybe a good place to start.



Please don't be too harsh in your comments as I had to teach myself IOS (yeah, zero help from the local computer certification school I had been attending) just so I could get on the internet at all.  I did file a complaint about the hacking, and in the last several minutes, it has subsided to zero, apparently (I haven't checked the firewall logs yet).  Subsequently, I found that approximately 2 hours after leaving that computer school, my Web site was also besieged with about 20,000 SPAM emails.  Hmmmm....




I'm just now updating the script.  While the script initially worked, I'm finding that I have to make additional concessions to the ISP else they will deny service altogether.  (That's odd because it was their network problems which necessitated the firewall in the first place.)  There were some other expected eventualities, namely the necessity to poke holes in the firewall to facilitate American companies who have apparently outsourced their services overseas or may be just simply using Asian and European IP addresses. 


February 7, 2012: Update. 

This firewall has been seriously tested by a flood of hacking like I've never seen before (and it's also been tested on Windows 7 and Linux).

I hope whomever is hacking me finally comes to realize that they aren't going to come anywhere close to touching my data again, and then moves on with their lives hopefully finding something else to do. 

---------------------------------------------------------------------------------------------------

Realize that THIS IS A TEMPLATE!  It's not supposed to be really tight code or a one-size-fits-all solution.  Your block lists will be different. your permissions will be different, and so on. 

You can take out the part you don't want, but the comments aren't going to have any effect on the performance of the router, since the router doesn't store them.  The comments are strictly for your and my benefit.  You should be able to decipher the template fairly easily as I've organized it into sections with some built-in suggestions.

You can also just comment out the parts you don't need, as opposed to deleting them, by putting a "!" or a "!-- " in front of a statement, so that you can enable it later if you choose.  If you just comment the statements out you don't want, they'll be there later so you won't have to look the references up.

DO NOT attempt to cut and paste this into Hyperterminal, attached to the Cisco terminal port.  Ain't gonna happen.  At the Cisco port default of:

 

9600 baud

8 data bits, no parity

1 stop bit

No flow control

 

(http://www.cisco.com/en/US/docs/routers/access/800/860-880-890/hardware/installation/guide/3Connect880-860.html#wp1050135)

...it will overrun the buffer resulting in predictable errors.  Use the terminal port for monitoring and responding to attacks in real time.  Download Putty, or something similar, and drop this code into the router using a virtual terminal (vty), then disconnect the monitoring PC from the network port, leaving the Hyperterminal connection (RJ45 -- DB-9) intact.  (Yes, that's DE-9 for you A+ certified sticklers....)




Note:  Users using Road Runner DNS will have problems activating Windows, accessing Facebook and LinkedIn, possibly even downloading Adobe add-in's because, according to Road Runner DNS, those sites are behind Road Runner IP's.  As previously stated, you may choose your own site-blocking or...you could just use Google DNS: 8.8.8.8 and 8.8.4.4

I corrected some obvious errors which somehow got uploaded and will review the site periodically and try to fix any errors I see, including any graphics which have met with some unfortunate demise.

Anyway, if you like my work, I am on the market for a new opportunity.  Please view my resume' at:

http://johnswebpage.com/resume.htm





Here's the script:



config terminal

!-- Private use only!
!
!-- Not suitable for commercial use
!
!-- Excludes all of IPv6 (...hopfully...).
!
!-- Provisions UDP for Linux/Unix and Windows tracert
!
!-- IP represented as hacking threats represent factual
!--   statements about the activity of IP assignments
!--   rather than about whom the IP's are assigned to.
!
!-- Private citizens have a right to browse the Internet
!--    without threats and to identify and protect
!--    themselves against those threats.
!
!--  No guarantee is given with respect to the
!--    accuracy of the information presented here.
!
!--  IP ranges of specific organizations may not be a
!--     complete compendium off all of that organizations
!--     IPs, only those that were recorded on the firewall
!--     as attempting intrusions.
!
!--  Any and all intellectual property rights are retained.
!
!--  Distribute only without charge, complete and unmodified.

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!-- Keep Interfaces alive
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
interface FastEthernet4
 no shutdown
 exit

interface FastEthernet0
 no shutdown
 exit

interface FastEthernet1
 no shutdown
 exit

interface FastEthernet2
 no shutdown
 exit

interface FastEthernet3
 no shutdown
 exit

 

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

 

 

 

 

 

!-- Keepalives for TCP sessions
!-- These keepalive global configuration commands enable a device to
!-- send TCP keepalives for TCP sessions.  This configuration must be
!-- used in order to enable TCP keepalives on inbound connections to
!-- the device and outbound connections from the device.  This ensures
!-- that the device on the remote end of the connection is still
!-- accessible and that half-open or orphaned connections are removed
!-- from the local Cisco IOS device
!--
!-- service tcp-keepalives-in
service tcp-keepalives-out

!
!-- Enables Cisco Express Forwarding (CEF) on the route processor card
!-- This is necessary to inable IP verify reverse-path
!
ip cef

!
!-- Enable Unicast Reverse Path Forwarding (unicast RPF)
!-- Requires Cisco Express Forwarding (CEF) to be enabled
!
!-- Protects against spoofed, malformed or forged IP source
!-- addresses which can indicate Denial Of Service (DOS) attacks
!
!-- Ensure the source address appears in the Forwarding
!-- information Base and that it matches the interface on
!-- which the packet was received.
!
!-- ip verify unicast FastEthernet4
!-- ip verify unicast reverse-path

 

!
!-- Disables the Packet Assembler/Dissembler (PAD) service which is
!-- used for X.25 networks
!
no service pad

no x25 routing

no ip bootp server
no ip source-route
no ip forward-protocol turbo-flood
no rbe nasip
no tacacs-server directed-request
ip tcp selective-ack

!
!-- The No Service Password-Recovery feature does not allow anyone with
!-- console access to insecurely access the device configuration and
!-- clear the password. 
!-- It also does not allow malicious users to change the configuration
!-- register value and access NVRAM.

!-- no service password-recovery

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define Akamai IPs within ARIN
!--    akamai_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network akamai_ip

object-group network akamai_ip

    !-- Akamai
    23.0.0.0 255.240.0.0

    !-- Akamai
    23.32.0.0 255.224.0.0
    23.64.0.0 255.252.0.0

    !-- Akamai
    63.80.4.0 255.255.255.0

    !-- Akamai
    63.235.28.0 255.255.254.0

    !-- Akamai
    63.110.246.0 255.255.255.0

    !-- Akamai
    63.150.131.0 255.255.255.0

    !-- Akamai
    63.151.118.0 255.255.254.0

    !-- Akamai
    63.233.112.0 255.255.255.0

    !-- Akamai
    63.233.126.0 255.255.255.0

    !-- Akamai
    64.25.220.160 255.255.255.240

    !-- Akamai
    64.224.201.112 255.255.255.240

    !-- Akamai
    64.224.201.128 255.255.255.240

    !-- Akamai
    64.240.98.32 255.255.255.224

    !-- Akamai
    65.120.60.0 255.255.255.0

    !-- Akamai
    65.121.208.0 255.255.254.0

    !-- Akamai
    65.126.84.0 255.255.255.0

    !-- Akamai
    65.97.197.0 255.255.255.0

    !-- Akamai
    66.22.148.0 255.255.254.0

    !-- Akamai
    66.119.205.0 255.255.255.240

    !-- Akamai
    66.152.103.64 255.255.255.192

    !-- Akamai
    69.22.137.0 255.255.255.0

    !-- Akamai
    69.22.148.0 255.255.254.0

    !-- Akamai
    69.22.150.0 255.255.254.0

    !-- Akamai
    69.22.162.0 255.255.254.0

    !-- Akamai
    69.22.164.0 255.255.255.0

    !-- Akamai
    69.22.165.0 255.255.255.128

    !-- Akamai
    69.22.166.128 255.255.255.192

    !-- Akamai
    69.22.166.192 255.255.255.192

    !-- Akamai
    69.31.132.0 255.255.254.0

    !-- Akamai
    69.31.76.0 255.255.254.0

    !-- Akamai
    69.192.0.0 255.255.0.0

    !-- Akamai
    72.29.227.160 255.255.255.192

    !-- Akamai
    72.164.7.0 255.255.255.128

    !-- Akamai
    72.246.0.0 255.128.0.0

    !-- Akamai
    96.6.0.0 255.128.0.0

    !-- Akamai
    96.16.0.0 255.128.0.0

    !-- Akamai
    128.11.1.116 255.255.255.224
    128.11.1.128 255.255.255.240
    128.11.1.144 255.255.255.252
    128.11.1.148 255.255.255.255

    !-- Akamai
    128.11.10.235 255.255.255.240
    128.11.10.240 255.255.255.248
    128.11.10.248 255.255.255.254
    128.11.10.250 255.255.255.255

    !-- Akamai
    128.11.104.16 255.255.255.240

    !-- Akamai
    128.11.28.16 255.255.255.240

    !-- Akamai
    128.11.58.32 255.255.255.240

    !-- Akamai
    173.222.0.0 255.128.0.0

    !-- Akamai
    184.24.0.0 255.240.0.0

    !-- Akamai
    184.50.0.0 255.128.0.0

    !-- Akamai
    184.24.0.0 255.240.0.0

    !-- Akamai
    184.84.0.0 255.248.0.0

    !-- Akamai
    198.31.3.64 255.255.255.192

    !-- Akamai
    198.77.126.64 255.255.255.248

    !-- Akamai
    199.93.170.16 255.255.255.240

    !-- Akamai
    204.8.48.0 255.255.252.0

    !-- Akamai
    204.10.28.0 255.255.252.0

    !-- Akamai
    204.12.151.0 255.255.255.0

    !-- Akamai
    204.12.155.0 255.255.255.128

    !-- Akamai
    204.12.156.0 255.255.128.0

    !-- Akamai
    204.132.142.0 255.255.128.0

    !-- Akamai
    204.178.110.32 255.255.255.224

    !-- Akamai
    204.178.110.64 255.255.255.224

    !-- Akamai
    207.195.205.16 255.255.255.240

    !-- Akamai
    209.98.82.64 255.255.255.224

    !-- Akamai
    209.170.115.0 255.255.255.0

    !-- Akamai
    209.170.116.0 255.255.255.0

    !-- Akamai
    209.170.117.0 255.255.255.0

    !-- Akamai
    209.170.118.0 255.255.255.0

    !-- Akamai
    209.170.94.0 255.255.255.0

    !-- Akamai
    209.208.33.224 255.255.255.224

    !-- Akamai
    209.221.135.128 255.255.255.224

    !-- Akamai
    216.88.155.208 255.255.255.240

    !-- Akamai
    216.127.199.224 255.255.255.240

    !-- Akamai
    216.207.37.0 255.255.255.128

    !-- Akamai
    216.243.20.0 255.255.255.192

    !-- Akamai
    216.246.122.0 255.255.255.0
   
exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define Comcast IPs within ARIN
!--    comcast_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network comcast_ip

object-group network comcast_ip

    !-- Comcast
    24.0.0.0 255.255.0.0

    !-- Comcast
    24.16.0.0 255.252.0.0

    !-- Comcast Cable
    67.160.0.0 255.224.0.0

    !-- Comcast Cable
    69.241.0.0 255.255.192.0

    !-- Comcast Cable
    71.204.0.0 255.255.128.0

    !-- Comcast Cable
    75.64.0.0 255.248.0.0
    75.72.0.0 255.252.0.0
    75.76.0.0 255.255.0.0

    !-- Comcast Business Communications
    75.149.228.0 255.255.252.0

    !-- Comcast Cable
    !-- 76.102.0.0 76.103.255.255
    76.102.0.0 255.254.0.0

    !-- Comcast Cable
    98.192.0.0 255.192.0.0

    !-- Comcast Cable
    98.219.64.0 255.255.224.0

    !-- Comcast Florida
    173.9.131.232 255.255.255.240

    !-- Comcast Florida
    173.12.144.0 255.255.248.0

    !-- CIMEast Comcast Interactive Media
    207.223.0.0 255.255.240.0
   
exit

!-----------------------------------------------------------------------------------
!-----------------------------------------------------------------------------------
!-----------------------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define restricted Edgecast IPs
!--  edgecast_ip
!-- 
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network edgecast_ip

object-group network edgecast_ip

    !-- Edgecast
    !-- 8.5.250.0 8.5.250.255
    8.5.250.0 255.255.255.0
   
    !-- Edgecast
    !-- 8.8.64.0 8.8.64.255
    8.8.64.0 255.255.255.0
   
    !-- Edgecast
    !-- 8.15.15.0 8.15.15.255
    8.15.15.0 255.255.255.0
   
    !-- Edgecast
    !-- 12.202.248.0 12.202.248.255
    12.202.248.0 255.255.255.0
   
    !-- Edgecast
    !-- 42.22.64.0 42.22.79.255
    42.22.64.0 255.255.248.0
    42.22.72.0 255.255.248.0

    !-- Edgecast
    !-- 42.99.160.0 41.99.162.255
    42.99.160.0 255.255.255.0
    42.99.161.0 255.255.255.0
    42.99.162.0 255.255.255.0

    !-- Limelight Networks
    !-- 68.142.64.0 68.142.127.255
    68.142.64.0 255.255.192.0
   
    !-- Edgecast
    !-- 68.232.32.0 68.232.47.255
    68.232.32.0 255.255.240.0
   
    !-- Edgecast
    !-- 72.21.80.0 72.21.95.255
    72.21.80.0 255.255.240.0

    !-- Edgecast
    !-- 93.184.208.0 93.184.223.0
    93.184.208.0 255.255.240.0

    !-- Edgecast
    !-- 108.161.240.0 108.161.255.255
    108.161.240.0 255.255.240.0

    !-- Edgecast
    !-- 117.18.232.0 117.18.239.0
    117.18.232.0 255.255.248.0
   
    !-- Edgecast
    !-- 117.103.183.0 117.103.183.0
    117.103.183.0 255.255.255.0
   
    !-- Edgecast
    !-- 166.90.81.0 166.90.81.255
    166.90.81.0 255.255.255.0

    !-- Edgecast
    !-- 198.153.190.0 198.153.196.255
    198.153.190.0 255.255.254.0
    198.153.192.0 255.255.252.0
    198.153.196.0 255.255.255.0

    !-- Edgecast (Equinix IX Chicago)
    !-- 206.223.119.0 206.223.119.255
    206.223.119.0 255.255.255.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define Global Crossing -- Frontier IPs within ARIN
!--    gblx_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network gblx_ip

object-group network gblx_ip

    !-- Glbx Frontier
    50.32.0.0 255.240.0.0
    50.48.0.0 255.248.0.0

    !-- Glbx Frontier
    64.76.0.0 255.255.0.0

    !-- Glbx Frontier
    64.208.0.0 255.254.0.0
    64.209.0.0 255.255.128.0

    !-- Glbx Frontier
    64.210.0.0 255.255.128.0

    !-- Glbx Frontier
    64.211.0.0 255.255.128.0
    64.211.128.0 255.255.192.0
    64.211.192.0 255.255.224.0

    !-- Glbx Frontier
    64.212.0.0 255.248.0.0

    !-- Glbx Frontier
    67.16.0.0 255.254.0.0

    !-- Frontier Communications
    74.32.0.0 255.240.0.0

    !-- Glbx Frontier
    146.82.0.0 255.255.0.0

    !-- Glbx Frontier
    159.63.0.0 255.255.0.0

    !-- Glbx Frontier
    162.97.0.0 255.255.0.0

    !-- Glbx Frontier
    204.152.166.0 255.255.254.0

    !-- Glbx Frontier
    204.245.0.0 255.255.192.0

    !-- Glbx Frontier
    204.246.192.0 255.255.192.0

    !-- Glbx Frontier
    206.41.0.0 255.255.224.0

    !-- Glbx Frontier
    206.57.0.0 255.255.128.0

    !-- Glbx Frontier
    206.132.192.0 255.255.192.0

    !-- Glbx Frontier
    206.132.64.0 255.255.192.0

    !-- Glbx Frontier
    206.165.0.0 255.255.0.0

    !-- Glbx Frontier
    207.136.160.0 255.255.192.0

    !-- Glbx Frontier
    207.138.0.0 255.255.0.0

    !-- Glbx Frontier
    207.218.0.0 255.255.128.0
    207.218.128.0 255.255.192.0

    !-- Glbx Frontier
    208.48.0.0 255.255.192.0

    !-- Glbx Frontier
    208.48.128.0 255.255.192.0
    208.48.192.0 255.255.240.0

    !-- Glbx Frontier
    208.48.224.0 255.255.224.0
    208.49.0.0 255.255.0.0
    208.50.0.0 255.255.128.0

    !-- Glbx Frontier
    208.50.192.0 255.255.192.0
    208.51.0.0 255.255.0.0

    !-- Glbx Frontier
    208.178.0.0 255.255.0.0

    !-- Glbx Frontier
    209.130.128.0 255.255.192.0
    209.139.192.0 255.255.224.0
   
exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define Level 3 IPs within ARIN
!--    level3_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network level3_ip

object-group network level3_ip

    !-- Level 3 Communications, Inc.
    004.0.0.0 255.0.0.0

    !-- Level 3 Joyent
    8.12.32.0 255.255.254.0

    !-- Level 3 Joyent
    8.12.34.0 255.255.254.0

    !-- Level 3 Joyent
    8.12.36.0 255.255.254.0

    !-- Level 3 Joyent
    8.12.40.0 255.255.252.0

    !-- Level 3 Joyent
    8.17.80.0 255.255.252.0

    !-- Level 3 Joyent
    8.17.84.0 255.255.252.0

    !-- Level 3 Joyent
    8.17.168.0 255.255.252.0

    !-- Level 3 Joyent
    64.30.128.0 255.255.240.0

    !-- Level 3 Joyent
    72.2.112.0 255.255.240.0

    !-- Level 3 Joyent
    199.192.240.0 255.255.252.0
   
exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define RoadRunner IPs within ARIN
!--    roadrunner_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network roadrunner_ip

object-group network roadrunner_ip

     24.28.0.0 255.254.0.0
     24.24.0.0 255.252.0.0
     24.30.128.0 255.255.192.0
     24.30.192.0 255.255.224.0
     24.31.64.0 255.255.192.0
     24.31.128.0 255.255.128.0
     24.31.32.0 255.255.224.0
     24.33.0.0 255.255.0.0
     24.39.0.0 255.255.0.0
     24.56.64.0 255.255.224.0
     24.58.0.0 255.254.0.0
     24.73.0.0 255.255.0.0
     24.88.0.0 255.255.0.0
     24.90.0.0 255.255.0.0
     24.92.0.0 255.255.128.0
     24.92.128.0 255.255.240.0
     24.94.0.0 255.254.0.0
     24.93.0.0 255.255.0.0
     24.92.192.0 255.255.192.0
     24.92.160.0 255.255.224.0
     24.97.0.0 255.255.0.0
     24.103.0.0 255.255.0.0
     24.105.128.0 255.255.192.0
     24.106.64.0 255.255.192.0
     24.106.128.0 255.255.128.0
     24.123.128.0 255.255.128.0
     24.129.128.0 255.255.192.0
     24.136.96.0 255.255.224.0

    !-- Facebook
     24.143.192.0 255.255.224.0

     24.170.0.0 255.255.128.0
     24.168.0.0 255.254.0.0
     24.160.0.0 255.248.0.0
     24.171.160.0 255.255.224.0
     24.172.0.0 255.255.0.0
     24.193.0.0 255.255.0.0
     24.194.0.0 255.254.0.0
     24.198.0.0 255.255.0.0
     24.199.128.0 255.255.128.0
     24.206.0.0 255.255.254.0
     24.208.0.0 255.252.0.0
     24.213.128.0 255.255.128.0
     24.227.32.0 255.255.224.0
     24.227.128.0 255.255.128.0
     24.227.64.0 255.255.192.0
     24.242.0.0 255.254.0.0
     50.74.0.0 255.254.0.0
     50.84.0.0 255.255.0.0
     50.128.0.0 255.255.240.0
     64.64.6.222 255.255.255.255
     64.64.6.220 255.255.255.254
     64.64.6.219 255.255.255.255
     64.183.176.0 255.255.240.0
     65.24.0.0 255.252.0.0
    65.32.0.0 255.254.0.0
    65.34.0.0 255.255.240.0
     65.184.0.0 255.248.0.0
     66.8.128.0 255.255.128.0
     66.24.0.0 255.255.0.0
     66.56.0.0 255.255.224.0
     66.56.128.0 255.255.128.0
     66.56.96.0 255.255.224.0
     66.57.0.0 255.255.0.0
     66.68.0.0 255.254.0.0
     66.74.0.0 255.254.0.0
     66.91.0.0 255.255.0.0
     66.108.0.0 255.255.0.0
     66.109.0.0 255.255.240.0
     67.8.0.0 255.252.0.0
     67.48.0.0 255.254.0.0
     67.78.0.0 255.254.0.0
     67.240.0.0 255.240.0.0
     68.168.64.0 255.255.240.0
     68.172.0.0 255.252.0.0
     68.200.0.0 255.248.0.0
     69.23.0.0 255.255.0.0
     69.76.0.0 255.255.0.0
     69.75.0.0 255.255.0.0
     69.132.0.0 255.252.0.0
     69.193.0.0 255.255.0.0
     69.200.0.0 255.248.0.0
     70.60.0.0 255.252.0.0
     70.92.0.0 255.252.0.0
     70.112.0.0 255.240.0.0
     71.40.0.0 255.252.0.0
     71.64.0.0 255.240.0.0
     72.43.0.0 255.255.0.0
     72.45.128.0 255.255.128.0
     72.128.0.0 255.248.0.0
     72.176.0.0 255.240.0.0
     72.224.0.0 255.248.0.0
     74.64.0.0 255.240.0.0
     74.218.0.0 255.254.0.0
     75.80.0.0 255.248.0.0
     75.176.0.0 255.240.0.0
     76.80.0.0 255.240.0.0
     76.166.0.0 255.254.0.0
     96.10.0.0 255.254.0.0
     97.76.0.0 255.252.0.0
     97.96.0.0 255.254.0.0
     97.106.0.0 255.248.0.0
     98.0.0.0 255.255.0.0
     98.24.0.0 255.240.0.0
     98.100.0.0 255.248.0.0
     98.120.0.0 255.252.0.0
     98.156.0.0 255.252.0.0
     98.152.0.0 255.254.0.0
     98.144.0.0 255.252.0.0
     107.8.0.0 255.248.0.0
     173.88.0.0 255.248.0.0
     173.168.0.0 255.248.0.0
     174.96.0.0 255.248.0.0
     184.56.0.0 255.240.0.0
     184.54.0.0 255.252.0.0
     184.74.0.0 255.254.0.0
     184.75.0.0 255.255.0.0
     184.92.0.0 255.255.128.0
     184.88.0.0 255.254.0.0
     184.152.0.0 255.252.0.0
     204.210.0.0 255.254.0.0
     208.105.0.0 255.255.0.0
     208.125.0.0 255.255.0.0

    !-- LinkedIn and Adobe PDF
    !-- 209.18.32.0 209.18.47.255
     209.18.32.0 255.255.240.0

   
exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define miscellaneous restricted IPs
!-- 
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network misc_restricted_ip

object-group network misc_restricted_ip

    !-- Amazon.com -- not the main IP
    !-- 205.251.192.0 205.251.255.255
    205.251.192.0 255.255.255.0

    !-- Mountain Cablevision
    !-- 24.215.48.0
    24.215.48.0 255.255.248.0

    !-- Shaw Communications
    !-- 24.76.0.0 24.79.255.255
    24.76.0.0 255.252.0.0

    !-- Softlayer
    !-- 52.22.0.0 50.23.255.255
    50.22.0.0 255.254.0.0

    !-- XO Communications
    !-- 64.244.0.0 64.245.255.255
    64.244.0.0 255.254.0.0

    !-- Shaw Communications
    !-- 68.144.0.0 - 68.151.255.255
    64.144.0.0 255.248.0.0

    !-- SBC ATT
    !-- 69.223.176.0 69.223.191.255
    69.223.176.0 255.255.248.0

    !-- SliceHost 184.106.177.138 03032012 09:26:47
    !-- 184.106.176.0 184.106.191.255
    184.106.176.0 255.255.240.0

    !-- Sympatico
    !-- 69.156.92.0 - 69.156.95.255
    69.156.92.0 255.255.252.0

    !-- QWest Communications
    !-- 71.208.0.0 71.223.255.255
    71.208.0.0 255.240.0.0

    !-- Rackspace Hosting
    !-- 72.3.128.0 72.3.255.255
    72.3.128.0 255.255.128.0

    !-- Clearwire Communications
    !-- 74.60.0.0 74.61.255.255
    74.60.0.0 255.254.0.0

    !-- Charter Communications
    !-- 75.132.0.0 75.132.255.255
    75.132.0.0 255.255.0.0

    !-- Charter Communications
    !-- 75.132.0.0 75.132.255.255
    75.132.0.0 255.255.0.0

    !-- Verizon
    !-- 74.96.0.0 74.111.255.255
    74.96.0.0 255.240.0.0

    !-- QWest
    !-- 75.160.0.0 75.175.255.255
    75.160.0.0 255.240.0.0

    !-- Charter Communications
    !-- 97.80.0.0 97.95.255.255
    97.80.0.0 255.240.0.0

    !-- Cox Communications
    !-- 98.183.0.0 98.183.63.255
    98.183.0.0 255.255.192.0

    !-- Oregon State System
    !--  of Higher Education
    !-- 140.211.0.0 140.211.255.255
    140.211.0.0 255.255.0.0

    !-- Secured Servers
    !-- 184.95.32.0 184.95.63.255
    184.95.32.0 255.255.224.0

    !-- XO Communications
    !-- 216.156.0.0 216.156.255.255
    216.156.0.0 255.255.0.0

    !-- Bell Canada
    !-- 174.89.68.0 174.89.71.255
    174.89.68.0 255.255.252.0

    !-- Plastics Inc Formed
    173.220.11.184  255.255.248.0

    !-- Rackspace Hosting
    !-- 204.232.128.0 204.232.255.255
     204.232.128.0 255.255.192.0
     204.232.192.0 255.255.224.0
     204.232.224.0 255.255.240.0
     204.232.240.0 255.255.254.0
     204.232.242.0 255.255.255.128
     204.232.242.128 255.255.255.192
     204.232.242.192 255.255.255.224
     204.232.242.224 255.255.255.240
     204.232.242.240 255.255.255.248
     204.232.242.248 255.255.255.254
     204.232.242.250 255.255.255.255

     !-- Onelook.com
     !-- 204.232.242.251

     204.232.242.252 255.255.255.252
     204.232.243.0 255.255.255.0
     204.232.244.0 255.255.252.0
     204.232.248.0 255.255.248.0
    

    !-- State of South Carolina
    !-- 207.232.128.0 207.232.255.255
    207.232.128.0 255.255.128.0

    !-- Software Development Corporation
    !-- 204.238.82.0 204.238.82.255
    207.232.128.0 255.255.255.0

    !-- Quantcast
    !-- 64.94.107.0 64.94.107.255
    64.94.107.0 255.255.255.0

    !-- Webair
    !-- 174.137.128.0 174.137.191.255
    174.137.128.0 255.255.192.0

 

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define principally ARIN IPs
!--
!--  Note: Update needed
!--  Some of these IP's have been transferred to RIPE
!--     APNIC AfriNIC and LacNIC
!--
!--    arin_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network arin_ip

object-group network arin_ip

    !-- General Electric Company
    003.0.0.0 255.0.0.0

    !-- Level 3 Communications, Inc.
    !-- 004.0.0.0 255.0.0.0
    !-- DO NOT ENABLE
    !-- See object-group network level3_ip

    !-- Army Information Systems Center
    006.0.0.0 255.0.0.0

    !-- Administered by ARIN
    007.0.0.0 255.0.0.0

    !-- Level 3 Communications, Inc.
    008.0.0.0 255.0.0.0

    !-- IBM
    009.0.0.0 255.0.0.0

    !-- AT&T Bell Laboratories
    012.0.0.0 255.0.0.0

    !-- Xerox Corporation
    013.0.0.0 255.0.0.0

    !-- Hewlett-Packard Company
    015.0.0.0 255.0.0.0

    !-- Digital Equipment Corporation
    016.0.0.0 255.0.0.0

    !-- Apple Computer Inc.
    017.0.0.0 255.0.0.0

    !-- MIT
    018.0.0.0 255.0.0.0

    !-- Ford Motor Company
    019.0.0.0 255.0.0.0

    !-- Computer Sciences Corporation
    020.0.0.0 255.0.0.0

    !-- DDN-RVN
    021.0.0.0 255.0.0.0

    !-- Defense Information Systems Agency
    022.0.0.0 255.0.0.0

    !-- ARIN
    023.0.0.0 255.0.0.0

    !-- ARIN
    024.0.0.0 255.0.0.0

    !-- Defense Information Systems Agency
    026.0.0.0 255.0.0.0

    !-- DSI-North
    028.0.0.0 255.0.0.0

    !-- Defense Information Systems Agency
    029.0.0.0 255.0.0.0

    !-- Defense Information Systems Agency
    030.0.0.0 255.0.0.0

    !-- AT&T Global Network Services
    032.0.0.0 255.0.0.0

    !-- DLA Systems Automation Center
    033.0.0.0 255.0.0.0

    !-- Halliburton Company
    034.0.0.0 255.0.0.0

    !-- MERIT Computer Network
    035.0.0.0 255.0.0.0

    !-- PSINet, Inc.
    038.0.0.0 255.0.0.0

    !-- Eli Lily & Company
    040.0.0.0 255.0.0.0

    !-- Amateur Radio Digital Communications
    044.0.0.0 255.0.0.0

    !-- Administered by ARIN
    045.0.0.0 255.0.0.0

    !-- Bell-Northern Research
    047.0.0.0 255.0.0.0

    !-- Prudential Securities Inc.
    048.0.0.0 255.0.0.0

    !-- ARIN
    050.0.0.0 255.0.0.0

    !-- E.I. duPont de Nemours and Co., Inc.
    052.0.0.0 255.0.0.0

    !-- Cap Debis CCS
    053.0.0.0 255.0.0.0

    !-- Merck and Co., Inc.
    054.0.0.0 255.0.0.0

    !-- US Postal Service
    056.0.0.0 255.0.0.0

    !-- SITA
    057.0.0.0 255.0.0.0

    !-- ARIN
    063.0.0.0 255.0.0.0

    !-- ARIN
    064.0.0.0 255.0.0.0

    !-- ARIN
    065.0.0.0 255.0.0.0

    !-- ARIN
    066.0.0.0 255.0.0.0

    !-- ARIN
    067.0.0.0 255.0.0.0

    !-- ARIN
    068.0.0.0 255.0.0.0

    !-- ARIN
    069.0.0.0 255.0.0.0

    !-- ARIN
    070.0.0.0 255.0.0.0

    !-- ARIN
    071.0.0.0 255.0.0.0

    !-- ARIN
    072.0.0.0 255.0.0.0

    !-- ARIN
    073.0.0.0 255.0.0.0

    !-- ARIN
    074.0.0.0 255.0.0.0

    !-- ARIN
    075.0.0.0 255.0.0.0

    !-- ARIN
    076.0.0.0 255.0.0.0

    !-- ARIN
    096.0.0.0 255.0.0.0

    !-- ARIN
    097.0.0.0 255.0.0.0

    !-- ARIN
    098.0.0.0 255.0.0.0

    !-- ARIN
    099.0.0.0 255.0.0.0

    !-- ARIN
    100.0.0.0 255.0.0.0

    !-- ARIN
    104.0.0.0 255.0.0.0

    !-- ARIN
    107.0.0.0 255.0.0.0

    !-- ARIN
    108.0.0.0 255.0.0.0

    !-- Administered by ARIN
    128.0.0.0 255.0.0.0

    !-- Administered by ARIN
    129.0.0.0 255.0.0.0

    !-- Administered by ARIN
    130.0.0.0 255.0.0.0

    !-- Administered by ARIN
    131.0.0.0 255.0.0.0

    !-- Administered by ARIN
    132.0.0.0 255.0.0.0

    !-- Administered by ARIN
    134.0.0.0 255.0.0.0

    !-- Administered by ARIN
    135.0.0.0 255.0.0.0

    !-- Administered by ARIN
    136.0.0.0 255.0.0.0

    !-- Administered by ARIN
    138.0.0.0 255.0.0.0

    !-- Administered by ARIN
    139.0.0.0 255.0.0.0

    !-- Administered by ARIN
    140.0.0.0 255.0.0.0

    !-- Administered by ARIN
    142.0.0.0 255.0.0.0

    !-- Administered by ARIN
    143.0.0.0 255.0.0.0

    !-- Administered by ARIN
    144.0.0.0 255.0.0.0

    !-- Administered by ARIN
    146.0.0.0 255.0.0.0

    !-- Administered by ARIN
    147.0.0.0 255.0.0.0

    !-- Administered by ARIN
    148.0.0.0 255.0.0.0

    !-- Administered by ARIN
    149.0.0.0 255.0.0.0

    !-- Administered by ARIN
    152.0.0.0 255.0.0.0

    !-- Administered by ARIN
    155.0.0.0 255.0.0.0

    !-- Administered by ARIN
    156.0.0.0 255.0.0.0

    !-- Administered by ARIN
    157.0.0.0 255.0.0.0

    !-- Administered by ARIN
    158.0.0.0 255.0.0.0

    !-- Administered by ARIN
    159.0.0.0 255.0.0.0

    !-- Administered by ARIN
    160.0.0.0 255.0.0.0

    !-- Administered by ARIN
    161.0.0.0 255.0.0.0

    !-- Administered by ARIN
    162.0.0.0 255.0.0.0

    !-- Administered by ARIN
    164.0.0.0 255.0.0.0

    !-- Administered by ARIN
    165.0.0.0 255.0.0.0

    !-- Administered by ARIN
    166.0.0.0 255.0.0.0

    !-- Administered by ARIN
    167.0.0.0 255.0.0.0

    !-- Administered by ARIN
    168.0.0.0 255.0.0.0

    !-- Administered by ARIN

     !-- 169.0.0.0 - 169.127.255.255
     169.0.0.0 255.128.0.0

     !-- 169.128.0.0 - 169.191.255.255
     169.128.0.0 255.192.0.0

     !-- 169.192.0.0 - 169.223.255.255
     169.192.0.0 255.224.0.0

     !-- 169.224.0.0 - 169.239.255.255
     169.224.0.0 255.240.0.0

     !-- 169.240.0.0 - 169.247.255.255
     169.240.0.0 255.248.0.0

     !-- 169.248.0.0 - 169.251.255.255
     169.248.0.0 255.252.0.0

     !-- 169.252.0.0 - 169.253.255.255
     169.252.0.0 255.254.0.0

    !-- Unrouteable IP range
     !-- 169.254.0.0 - 169.254.255.255
     !-- 169.254.0.0 255.255.0.0

      !-- 169.255.0.0 - 169.255.255.255
     169.255.0.0 255.255.0.0

    !-- Administered by ARIN
    170.0.0.0 255.0.0.0

    !-- Administered by ARIN

     !-- 172.0.0.0 - 172.15.255.255
     172.0.0.0 255.240.0.0

    !-- Unrouteable IP range
     !-- 172.16.0.0 - 172.31.255.255
     !-- 172.16.0.0 255.224.0.0

     !-- 172.32.0.0 - 172.39.255.255
     172.32.0.0 255.248.0.0

     !-- 172.40.0.0 - 172.47.255.255
     172.40.0.0 255.248.0.0

     !-- 172.48.0.0 - 172.63.255.255
     172.48.0.0 255.240.0.0

     !-- 172.64.0.0 - 172.127.255.255
     172.64.0.0 255.192.0.0

     !-- 172.128.0.0 - 172.255.255.255
     172.128.0.0 255.128.0.0

    !-- ARIN
    173.0.0.0 255.0.0.0

    !-- ARIN
    174.0.0.0 255.0.0.0

    !-- ARIN
    184.0.0.0 255.0.0.0

    !-- Administered by ARIN
 
     !-- 192.0.0.0 - 192.127.255.255
     192.0.0.0 255.128.0.0

     !-- 192.128.0.0 - 192 159.255.255
     192.128.0.0 255.224.0.0

     !-- 192.160.0.0 - 192.167.255.255
     192.159.0.0 255.248.0.0

    !-- Unrouteable IP range
     !-- 192.168.0.0 - 192.168.255.255
     !-- 192.168.0.0 255.255.0.0

     !-- 192.169.0.0 - 192.175.255.255
     192.169.0.0 255.248.0.0

     !-- 192.176.0.0 - 192.191.255.255
     192.176.0.0 255.240.0.0

     !-- 192.192.0.0 - 192.255.255.2555
     192.192.0.0 255.192.0.0

    !-- Administered by ARIN
    198.0.0.0 255.0.0.0

    !-- ARIN
    199.0.0.0 255.0.0.0

    !-- ARIN
    204.0.0.0 255.0.0.0

    !-- ARIN
    205.0.0.0 255.0.0.0

    !-- ARIN
    206.0.0.0 255.0.0.0

    !-- ARIN
    207.0.0.0 255.0.0.0

    !-- ARIN
    208.0.0.0 255.0.0.0

    !-- ARIN
    209.0.0.0 255.0.0.0

    !-- DOD
    214.0.0.0 255.0.0.0

    !-- DOD
    215.0.0.0 255.0.0.0

    !-- ARIN
    216.0.0.0 255.0.0.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define necessary AfriNIC IPs
!--    afrinic_ip object-group
!--
!--  Note: Update needed.
!--  Other IP ranges have been transferred to
!--     AfriNic from ARIN
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network afrinic_ip

object-group network afrinic_ip

    !-- Administered by AfriNIC
    154.0.0.0 255.0.0.0

    !-- Administered by AfriNIC
    !-- 196.0.0.0 255.0.0.0
     196.0.0.0 255.128.0.0
     196.128.0.0 255.192.0.0
     196.192.0.0 255.240.0.0
     196.208.0.0 255.248.0.0
     196.216.0.0 255.255.254.0
     196.216.2.0 255.255.255.255

     !-- AfriNIC.net
     !-- 196.216.2.1

     196.216.2.2 255.255.255.254
     196.216.2.4 255.255.255.252
     196.216.2.8 255.255.255.248
     196.216.2.16 255.255.255.240
     196.216.2.32 255.255.255.224
     196.216.2.64 255.255.255.192
     196.216.2.128 255.255.255.128
     196.216.3.0 255.255.128.0
     196.216.4.0 255.255.255.252
     196.216.8.0 255.255.255.248
     196.216.16.0 255.255.255.240
     196.216.32.0 255.255.255.224
     196.216.64.0 255.255.255.192
     196.216.128.0 255.255.255.128
     196.217.0.0 255.255.0.0
     196.218.0.0 255.254.0.0
     196.220.0.0 255.252.0.0
     196.224.0.0 255.224.0.0

 
    !-- AfriNIC
    041.0.0.0 255.0.0.0

    !-- AfriNIC
    102.0.0.0 255.0.0.0

    !-- AfriNIC
    105.0.0.0 255.0.0.0

    !-- Administered by ARIN
    !-- 137.0.0.0 255.0.0.0
     137.0.0.0 255.192.0.0
     137.63.0.0 255.248.0.0
     137.72.0.0 255.252.0.0
     137.76.0.0 255.254.0.0
 
     !--- space.jpl.nasa.gov
     !-- 137.78.0.0 255.254.0.0

     137.80.0.0 255.240.0.0
     137.96.0.0 255.224.0.0
     137.128.0.0 255.128.0.0

    !-- AfriNIC
    197.0.0.0 255.0.0.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define necessary LacNIC IPs
!--    lacnic_ip object-group
!--
!--  Note: Update needed.
!--  Other IP ranges have been transferred to
!--     LacNIC from ARIN
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network lacnic_ip

object-group network lacnic_ip

    !-- Administered by LACNIC
    191.0.0.0 255.0.0.0

    !-- LACNIC
    177.0.0.0 255.0.0.0

    !-- LACNIC
    179.0.0.0 255.0.0.0

    !-- LACNIC
    181.0.0.0 255.0.0.0

    !-- LACNIC
    186.0.0.0 255.0.0.0

    !-- LACNIC
    187.0.0.0 255.0.0.0

    !-- LACNIC
    189.0.0.0 255.0.0.0

    !-- LACNIC
    190.0.0.0 255.0.0.0

    !-- LACNIC
    !-- 200.0.0.0 255.0.0.0
     200.0.0.0 255.254.0.0
     200.2.0.0 255.255.0.0
     200.3.0.0 255.255.248.0
     200.3.8.0 255.255.252.0
     200.3.12.0 255.255.254.0
     200.3.14.0 255.255.255.248
     200.3.14.8 255.255.255.254

     !-- LacNIC.net
     !-- 200.3.14.10

     200.3.14.11 255.255.255.255
     200.3.14.12 255.255.255.252
     200.3.14.16 255.255.255.240
     200.3.14.32 255.255.255.224
     200.3.14.64 255.255.255.192
     200.3.14.128 255.255.255.128
     200.3.15.0 255.255.240.0
     200.3.16.0 255.255.240.0
     200.3.32.0 255.255.224.0
     200.3.64.0 255.255.192.0
     200.3.128.0 255.255.128.0
     200.4.0.0 255.252.0.0
     200.8.0.0 255.248.0.0
     200.16.0.0 255.240.0.0
     200.32.0.0 255.224.0.0
     200.64.0.0 255.192.0.0
     200.128.0.0 255.128.0.0

    !-- LACNIC
    201.0.0.0 255.0.0.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define APNIC IPs
!-- 
!--  Note: Update needed
!--  There is some IP usage crossover between the ARIN
!--     region and the APNIC region
!--
!--    apnic_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network apnic_ip

object-group network apnic_ip

    !-- Administered by APNIC
    043.0.0.0 255.0.0.0
   
    !-- Administered by APNIC
    133.0.0.0 255.0.0.0
   
    !-- Administered by APNIC
    150.0.0.0 255.0.0.0
   
    !-- Administered by APNIC
    153.0.0.0 255.0.0.0
   
    !-- Administered by APNIC
    163.0.0.0 255.0.0.0
   
    !-- Administered by APNIC
    !-- 171.0.0.0 171.255.255.255
    !-- 171.0.0.0 255.0.0.0

     171.0.0.0 255.128.0.0

     !-- Bank of America
     !-- 171.128.0.0 255.192.0.0
     !-- 171.192.0.0  255.248.0.0
     !-- 171.200.0.0 255.252.0.0
     !-- 171.204.0.0 255.254.0.0
     !-- 171.206.0.0 255.255.0.0

     171.207.0.0 255.255.0.0
     171.208.0.0 255.240.0.0
     171.224.0.0 255.224.0.0

    !-- APNIC
    001.0.0.0 255.0.0.0
   
    !-- APNIC
    014.0.0.0 255.0.0.0
   
    !-- APNIC
    027.0.0.0 255.0.0.0
   
    !-- APNIC
    036.0.0.0 255.0.0.0
   
    !-- APNIC
    039.0.0.0 255.0.0.0
   
    !-- APNIC
    042.0.0.0 255.0.0.0
   
    !-- APNIC
    049.0.0.0 255.0.0.0
   
    !-- APNIC
    058.0.0.0 255.0.0.0
   
    !-- APNIC
    059.0.0.0 255.0.0.0
   
    !-- APNIC
    060.0.0.0 255.0.0.0
   
    !-- APNIC
    061.0.0.0 255.0.0.0
   
    !-- APNIC
    101.0.0.0 255.0.0.0
   
    !-- APNIC
    103.0.0.0 255.0.0.0
   
    !-- APNIC
    106.0.0.0 255.0.0.0
   
    !-- APNIC
    110.0.0.0 255.0.0.0
   
    !-- APNIC
    111.0.0.0 255.0.0.0
   
    !-- APNIC
    112.0.0.0 255.0.0.0
   
    !-- APNIC
    113.0.0.0 255.0.0.0
   
    !-- APNIC
    114.0.0.0 255.0.0.0
   
    !-- APNIC
    115.0.0.0 255.0.0.0
   
    !-- APNIC
    116.0.0.0 255.0.0.0
   
    !-- APNIC
    117.0.0.0 255.0.0.0
   
    !-- APNIC
    118.0.0.0 255.0.0.0
   
    !-- APNIC
    119.0.0.0 255.0.0.0
   
    !-- APNIC
    120.0.0.0 255.0.0.0
   
    !-- APNIC
    121.0.0.0 255.0.0.0
   
    !-- APNIC
    122.0.0.0 255.0.0.0
   
    !-- APNIC
    123.0.0.0 255.0.0.0
   
    !-- APNIC
    124.0.0.0 255.0.0.0
   
    !-- APNIC
    125.0.0.0 255.0.0.0
   
    !-- APNIC
    126.0.0.0 255.0.0.0
   
    !-- APNIC
    175.0.0.0 255.0.0.0
   
    !-- APNIC
    !-- 180.0.0.0 255.0.0.0
     180.0.0.0 255.128.0.0
     180.128.0.0 255.192.0.0
     180.192.0.0 255.240.0.0
     180.208.0.0 255.248.0.0
     180.216.0.0 255.252.0.0
     180.220.0.0 255.254.0.0
     180.222.0.0 255.255.128.0
     180.222.128.0 255.255.224.0
     180.222.160.0 255.255.240.0
     180.222.176.0 255.255.255.0
     180.222.177.0 255.255.255.192
     180.222.177.64 255.255.255.224
     180.222.177.96 255.255.255.255

     !-- system.GlobalSign.com
     !-- 180.222.177.97

     180.222.177.98 255.255.255.254
     180.222.177.100 255.255.255.252
     180.222.177.104 255.255.255.248
     180.222.177.112 255.255.255.240
     180.222.177.128 255.255.255.128
     180.222.178.0 255.255.254.0
     180.222.180.0 255.255.252.0
     180.222.184.0 255.255.248.0
     180.222.192.0 255.255.192.0
     180.223.0.0 255.255.0.0
     180.224.0.0 255.224.0.0

    !-- APNIC
    182.0.0.0 255.0.0.0
   
    !-- APNIC
    183.0.0.0 255.0.0.0
   
    !-- APNIC

    !-- 202.0.0.0 202.255.255.255
    !-- 202.0.0.0 255.0.0.0

     202.0.0.0 255.248.0.0
     202.8.0.0 255.252.0.0
     202.12.0.0 255.255.240.0
     202.12.16.0 255.255.248.0
     202.12.24.0 255.255.252.0

     !-- APNIC.net
     !-- 202.12.28.0 255.255.254.0

     202.12.30.0 255.255.254.0
     202.12.32.0 255.255.224.0
     202.12.64.0 255.255.192.0
     202.12.128.0 255.255.128.0
     202.13.0.0 255.255.0.0
     202.14.0.0 255.254.0.0
     202.16.0.0 255.240.0.0
     202.32.0.0 255.224.0.0
     202.64.0.0 255.192.0.0
     202.128.0.0 255.128.0.0

 
  
    !-- APNIC
    203.0.0.0 255.0.0.0
   
    !-- APNIC
    210.0.0.0 255.0.0.0
   
    !-- APNIC
    !-- 211.0.0.0 255.0.0.0

     !-- alphassl.com
     !-- 211.0.0.0 255.248.0.0

     211.8.0.0 255.248.0.0
     211.16.0.0 255.240.0.0
     211.32.0.0 255.224.0.0
     211.64.0.0 255.192.0.0
     211.128.0.0 255.128.0.0
   
    !-- APNIC
    218.0.0.0 255.0.0.0
   
    !-- APNIC
    219.0.0.0 255.0.0.0
   
    !-- APNIC
    220.0.0.0 255.0.0.0
   
    !-- APNIC
    221.0.0.0 255.0.0.0
   
    !-- APNIC
    222.0.0.0 255.0.0.0
   
    !-- APNIC
    223.0.0.0 255.0.0.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define RIPE IPs
!-- 
!--  Note: Update needed
!--  There is some IP usage crossover between the ARIN
!--     region and the RIPE region
!--  There is also a program to lease RIPE IPs
!--     to organizations in the ARIN and other regions
!--
!--    ripe_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network ripe_ip

object-group network ripe_ip

    !-- UK Government Dept for Work and Pensions
    25.0.0.0 255.0.0.0

    !-- UK Ministry of Defence [sic]
    51.0.0.0 255.0.0.0

    !-- Administered by RIPE NCC
    141.0.0.0 255.0.0.0

    !-- Administered by RIPE NCC
    145.0.0.0 255.0.0.0

    !-- Administered by RIPE NCC
    151.0.0.0 255.0.0.0

    !-- Administered by RIPE NCC
    188.0.0.0 255.0.0.0

    !-- RIPE NCC
    002.0.0.0 255.0.0.0

    !-- RIPE NCC
    005.0.0.0 255.0.0.0

    !-- RIPE NCC
    031.0.0.0 255.0.0.0

    !-- RIPE NCC
    037.0.0.0 255.0.0.0

    !-- RIPE NCC
    !-- 046.0.0.0 255.0.0.0
     46.0.0.0 255.128.0.0
     46.128.0.0 255.192.0.0
     46.192.0.0 255.224.0.0
     46.224.0.0 255.240.0.0
     46.240.0.0 255.248.0.0
     46.248.0.0 255.252.0.0
     46.252.0.0 255.255.0.0
     46.253.0.0 255.254.0.0
     46.255.0.0 255.255.192.0
     46.255.64.0 255.255.224.0
     46.255.96.0 255.255.240.0
     46.255.112.0 255.255.248.0

     !-- Robtex.com
     !-- 46.255.120.0 255.255.255.0

     46.255.121.0 255.255.255.0
     46.255.122.0 255.255.254.0
     46.255.122.0 255.255.252.0
     46.255.122.0 255.255.128.0

    !-- RIPE NCC
    062.0.0.0 255.0.0.0

    !-- RIPE NCC
    077.0.0.0 255.0.0.0

    !-- RIPE NCC
    078.0.0.0 255.0.0.0

    !-- RIPE NCC
    079.0.0.0 255.0.0.0

    !-- RIPE NCC
    080.0.0.0 255.0.0.0

    !-- RIPE NCC
    081.0.0.0 255.0.0.0

    !-- RIPE NCC
    !-- 082.0.0.0 255.0.0.0

     82.0.0.0 255.128.0.0
     82.128.0.0 255.252.0.0
     82.132.0.0 255.254.0.0
     82.134.0.0 255.255.0.0
     82.135.0.0 255.255.248.0

     !-- OpenSPF.org
     !-- 82.135.8.0 255.255.254.0

     82.135.10.0 255.255.254.0
     82.135.12.0 255.255.252.0
     82.135.16.0 255.255.240.0
     82.135.32.0 255.255.224.0
     82.135.64.0 255.255.192.0
     82.135.128.0 255.255.128.0
     82.136.0.0 255.248.0.0
     82.144.0.0 255.240.0.0
     82.160.0.0 255.224.0.0
     82.192.0.0 255.192.0.0

    !-- RIPE NCC
    !-- 083.0.0.0 255.0.0.0

     083.0.0.0 255.128.0.0
     083.128.0.0 255.248.0.0
     083.136.0.0 255.252.0.0
     083.140.0.0 255.255.0.0

     !-- Aixit DD-WRT.com
     !-- 83.141.4.210
        !-- 083.141.0.0 255.255.192.0

     083.141.64.0 255.255.192.0
     083.141.128.0 255.255.128.0
     083.142.0.0 255.254.0.0
     083.144.0.0 255.240.0.0
     083.160.0.0 255.224.0.0
     083.192.0.0 255.192.0.0

    !-- RIPE NCC
    084.0.0.0 255.0.0.0

    !-- RIPE NCC
    !-- 085.0.0.0 255.0.0.0

     085.0.0.0 255.128.0.0
     085.128.0.0 255.192.0.0
     085.192.0.0 255.224.0.0
     085.224.0.0 255.240.0.0
     085.240.0.0 255.248.0.0
     085.248.0.0 255.252.0.0
     085.252.0.0 255.254.0.0
     085.254.0.0 255.255.0.0
     085.255.0.0 255.255.240.0

  !-- Element 5
  !-- 085.255.16.0 85.255.31.255
  
     085.255.32.0 255.255.224.0
     085.255.64.0 255.255.192.0
     085.255.127.0 255.255.128.0

    !-- RIPE NCC
    086.0.0.0 255.0.0.0

    !-- RIPE NCC
    087.0.0.0 255.0.0.0

    !-- RIPE NCC
    088.0.0.0 255.0.0.0

    !-- RIPE NCC
    089.0.0.0 255.0.0.0

    !-- RIPE NCC
    090.0.0.0 255.0.0.0

    !-- RIPE NCC
    !-- 091.0.0.0 255.0.0.0

     91.0.0.0 255.128.0.0
     91.128.0.0 255.192.0.0
     91.128.192.0 255.252.0.0
     91.196.0.0 255.254.0.0
     91.198.0.0 255.255.0.0
     91.199.0.0 255.255.128.0
     91.199.128.0 255.255.192.0
     91.199.192.0 255.255.240.0
     91.199.208.0 255.255.252.0

     !-- Comodo
     !-- 91.199.212.0 - 91.199.212.255
     !-- 91.199.212.0 255.255.255.0

     91.199.213.0 255.255.255.0
     91.199.214.0 255.255.254.0
     91.199.216.0 255.255.248.0
     91.199.224.0 255.255.224.0
     91.200.0.0 255.248.0.0
     91.208.0.0 255.240.0.0
     91.224.0.0 255.224.0.0

    !-- RIPE NCC
    092.0.0.0 255.0.0.0

    !-- RIPE NCC
    093.0.0.0 255.0.0.0

    !-- RIPE NCC
    !-- 094.0.0.0 255.0.0.0

     94.0.0.0 255.128.0.0
     94.128.0.0 255.192.0.0
     94.192.0.0 255.224.0.0
     94.224.0.0 255.240.0.0
     94.240.0.0 255.252.0.0
     94.244.0.0 255.255.0.0
     94.245.0.0 255.255.192.0

     !-- WPA.one.Microsoft.com
     !-- 94.245.126.107
     !-- 94.245.64.0 94.245.127.255
     !-- 94.245.64.0 255.255.192.0

     94.246.128.0 255.255.128.0
     94.247.0.0 255.255.0.0
     94.248.0.0 255.248.0.0

    !-- RIPE NCC
    095.0.0.0 255.0.0.0

    !-- RIPE NCC
    109.0.0.0 255.0.0.0

    !-- RIPE NCC
    176.0.0.0 255.0.0.0

    !-- RIPE NCC
    178.0.0.0 255.0.0.0

    !-- RIPE NCC
    185.0.0.0 255.0.0.0

    !-- RIPE NCC
    !-- RIPE.net
    !-- 193.0.0.0 255.0.0.0
 
     !-- RIPE.net
     !-- 193.0.0.0 193.0.7.255
     !-- 193.0.0.0 255.255.248.0

     193.0.8.0 255.255.248.0
     193.0.16.0 255.255.240.0
     193.0.32.0 255.255.224.0
     193.0.64.0 255.255.192.0
     193.0.128.0 255.255.128.0
     193.1.0.0 255.192.0.0
     193.64.0.0 255.224.0.0
     193.96.0.0 255.248.0.0
     193.104.0.0 255.255.128.0

     193.104.128.0 255.255.192.0
     193.104.192.0 255.255.240.0
     193.104.208.0 255.255.252.0
     193.104.212.0 255.255.254.0
     193.104.214.0 255.255.255.0

     !-- get.adobe.com
     !-- 193.104.215.0 255.255.255.0

     193.104.216.0 255.255.248.0
     193.104.224.0 255.255.224.0
     193.105.0.0 255.255.0.0
     193.106.0.0 255.254.0.0
     193.108.0.0 255.252.0.0
     193.112.0.0 255.240.0.0
     193.128.0.0 255.128.0.0

    !-- RIPE NCC
    !-- 194.0.0.0 255.0.0.0

     194.0.0.0 255.252.0.0
     194.4.0.0 255.255.0.0
     194.5.0.0 255.255.0.0
     194.6.0.0 255.255.0.0
     194.7.0.0 255.255.128.0
     194.7.127.0 255.255.240.0
     194.7.144.0 255.255.248.0
     194.7.152.0 255.255.254.0
     194.7.154.0 255.255.255.0
     194.7.155.0 255.255.255.192
     194.7.155.64 255.255.255.240

  !-- Cybertrust Globalsign
  !-- 194.7.155.80 255.255.255.240

     194.7.155.96 255.255.255.224
     194.7.155.128 255.255.255.128
     194.7.156.0 255.255.252.0
     194.7.160.0 255.255.224.0
     194.7.192.0 255.255.192.0
     194.8.0.0 255.248.0.0
     194.16.0.0 255.240.0.0
     194.32.0.0 255.224.0.0
     194.64.0.0 255.192.0.0
     194.128.0.0 255.128.0.0

    !-- RIPE NCC
    !-- 195.0.0.0 255.0.0.0

     195.0.0.0 255.128.0.0
     195.127.0.0 255.224.0.0
     195.160.0.0 255.248.0.0
     195.168.0.0 255.255.0.0
     195.169.0.0 255.255.128.0
     195.169.128.0 255.255.240.0 

     !-- RIPE.net
     !-- 195.169.144.0 195.169.144.255
     !-- 195.169.144.0 255.255.255.0

     195.169.145.0 255.255.255.0
     195.169.146.0 255.255.254.0
     195.169.148.0 255.255.252.0
     195.169.152.0 255.255.248.0
     195.169.160.0 255.255.224.0
     195.169.192.0 255.255.192.0
     195.170.0.0 255.254.0.0
     195.172.0.0 255.252.0.0
     195.176.0.0 255.240.0.0
     195.192.0.0 255.192.0.0

    !-- RIPE NCC
    212.0.0.0 255.0.0.0

    !-- RIPE NCC
    !-- netmedia1.com
    !-- 213.0.0.0 255.0.0.0

     213.0.0.0 255.224.0.0
     213.32.0.0 255.252.0.0
     213.36.0.0 255.254.0.0
     213.38.0.0 255.255.0.0
     213.39.0.0 255.255.192.0
     213.39.64.0 255.255.248.0
     213.39.72.0 255.255.254.0
     213.39.74.0 255.255.255.128
     213.39.74.128 255.255.255.192
     213.39.74.192 255.255.255.248
     213.39.74.200 255.255.255.255

     !-- netmedia1.com
     !-- 213.39.74.201

     213.39.74.202 255.255.255.254
     213.39.74.204 255.255.255.252
     213.39.74.208 255.255.255.240
     213.39.74.224 255.255.255.224
     213.39.75.0 255.255.255.0
     213.39.76.0 255.255.252.0
     213.39.80.0 255.255.240.0
     213.39.96.0 255.255.224.0
     213.39.128.0 255.255.128.0
     213.40.0.0 255.255.248.0
     213.48.0.0 255.255.240.0
     213.64.0.0 255.255.192.0
     213.128.0.0 255.255.128.0

 

    !-- RIPE NCC
    !-- 217.0.0.0 255.0.0.0

     217.0.0.0 255.192.0.0
     217.64.0.0 255.224.0.0
     217.96.0.0 255.248.0.0
     217.104.0.0 255.252.0.0
     217.108.0.0 255.255.128.0
     217.108.128.0 255.255.224.0
     217.108.160.0 255.255.252.0
     217.108.164.0 255.255.255.0

     !-- Globalsign.com
     !-- 217.108.165.0 255.255.255.0

     217.108.166.0 255.255.254.0
     217.108.168.0 255.255.248.0
     217.108.176.0 255.255.240.0
     217.108.192.0 255.255.192.0
     217.109.0.0 255.255.0.0
     217.110.0.0 255.254.0.0
     217.112.0.0 255.240.0.0
     217.112.0.0 255.240.0.0
     217.128.0.0 255.128.0.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define other IPv4 IPs
!--    iana_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network iana_ip

object-group network iana_ip
 
    !-- Multicast
    0.0.0.0 255.0.0.0
    !-- Multicast
    224.0.0.0 255.0.0.0
    !-- Multicast
    225.0.0.0 255.0.0.0
    !-- Multicast
    226.0.0.0 255.0.0.0
    !-- Multicast
    227.0.0.0 255.0.0.0
    !-- Multicast
    228.0.0.0 255.0.0.0
    !-- Multicast
    229.0.0.0 255.0.0.0
    !-- Multicast
    230.0.0.0 255.0.0.0
    !-- Multicast
    231.0.0.0 255.0.0.0
    !-- Multicast
    232.0.0.0 255.0.0.0
    !-- Multicast
    233.0.0.0 255.0.0.0
    !-- Multicast
    234.0.0.0 255.0.0.0
    !-- Multicast
    235.0.0.0 255.0.0.0
    !-- Multicast
    236.0.0.0 255.0.0.0
    !-- Multicast
    237.0.0.0 255.0.0.0
    !-- Multicast
    238.0.0.0 255.0.0.0
    !-- Multicast
    239.0.0.0 255.0.0.0

    !-- Future use
    240.0.0.0 255.0.0.0
    !-- Future use
    241.0.0.0 255.0.0.0
    !-- Future use
    242.0.0.0 255.0.0.0
    !-- Future use
    243.0.0.0 255.0.0.0
    !-- Future use
    244.0.0.0 255.0.0.0
    !-- Future use
    245.0.0.0 255.0.0.0
    !-- Future use
    246.0.0.0 255.0.0.0
    !-- Future use
    247.0.0.0 255.0.0.0
    !-- Future use
    248.0.0.0 255.0.0.0
    !-- Future use
    249.0.0.0 255.0.0.0
    !-- Future use
    250.0.0.0 255.0.0.0
    !-- Future use
    251.0.0.0 255.0.0.0
    !-- Future use
    252.0.0.0 255.0.0.0
    !-- Future use
    253.0.0.0 255.0.0.0
    !-- Future use
    254.0.0.0 255.0.0.0
    !-- Future use
    255.0.0.0 255.0.0.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define so-called unrouteable IPs and IANA IPs
!--    unrouteable_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network unrouteable_ip

object-group network unrouteable_ip
 
    !-- Class B
    192.168.0.0 255.255.0.0

    !-- APIPA
    !-- Vulnerability in permitting
    !-- 169.254.0.0 255.255.0.0

    !-- Class C
    172.31.0.0 255.224.0.0

    !-- Loopback (IANA)
    127.0.0.0 255.0.0.0

    !-- Class A (IANA)
    10.0.0.0 255.0.0.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define exceptional risk IPs to restrict in and out
!--  restricted_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!

no object-group network restricted_ip

object-group network restricted_ip

 group-object comcast_ip
 group-object edgecast_ip
 group-object gblx_ip
 group-object level3_ip
 group-object roadrunner_ip
 group-object afrinic_ip
 group-object apnic_ip
 group-object lacnic_ip
 group-object ripe_ip
 group-object iana_ip
 group-object misc_restricted_ip

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define outside-to-inbound originating restrictions only
!--     i.e. might be allowed originating outbound out but not
!--     from the outside originating inbound
!-- 
!--     in_restricted_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network in_restricted_ip

object-group network in_restricted_ip

 !-- group-object unrouteable_ip
 group-object arin_ip

 !-- APNIC.net
 !-- 202.12.28.0 - 202.12.29.255
 202.12.28.0 255.255.254.0

 !-- AfriNIC.net
 196.216.2.1 255.255.255.255

 !-- LacNIC.net
 200.3.14.10 255.255.255.255

 !-- RIPE.net
 !-- 193.0.0.0 193.0.7.255
 193.0.0.0 255.255.248.0

 !-- RIPE.net
 !-- 195.169.144.0 195.169.144.255
 195.169.144.0 255.255.255.0

 !-- get.adobe.com
 193.104.215.66 255.255.255.255

 !-- alphassl.com
 211.0.0.0 255.248.0.0

 !-- Bank of America
 171.128.0.0 255.192.0.0
 171.192.0.0  255.248.0.0
 171.200.0.0 255.252.0.0
 171.204.0.0 255.254.0.0
 171.206.0.0 255.255.0.0

 !-- Comodo
 !-- 91.199.212.0 - 91.199.212.255
 91.199.212.0 255.255.255.0

 !-- DD-WRT.com
 83.141.4.210 255.255.255.255

 !-- Element 5
 !-- 085.255.16.0 85.255.31.255
 085.255.16.0 255.255.240.0

 !-- GlobalSign
 180.222.177.97 255.255.255.255

 !-- Globalsign.com
 217.108.165.0 255.255.255.0
 
 !-- WPA.one.Microsoft.com
 !-- 94.245.126.107
 !-- 94.245.64.0 94.245.127.255
 94.245.64.0 255.255.192.0

 !--- space.jpl.nasa.gov
 137.78.0.0 255.254.0.0

 !-- OpenSSL
 !-- 194.97.152.128 194.97.152.191
 194.97.152.128 255.255.255.192

 !-- netmedia1.com
 213.39.74.201 255.255.255.255

 !-- OneLook.com
 204.232.242.251 255.255.255.255

 !-- OpenSPF.org
 !-- Haiberg Net
 !-- 82.135.8.0 - 82.135.9.255
 82.135.8.0 255.255.254.0

 !-- Robtex.com
 46.255.120.0 255.255.255.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!-- Global IP blocking.
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!

!
!-- Delete existing class-maps and access-list and start over
!

no access-list 10

   !-- Comcast
   access-list 10 deny 24.0.0.0 255.255.0.0

   !-- Comcast
   access-list 10 deny 24.16.0.0 255.252.0.0

   !-- Comcast Cable
   access-list 10 deny 67.160.0.0 255.224.0.0

   !-- Comcast Cable
   access-list 10 deny 69.241.0.0 255.255.192.0

   !-- Comcast Cable
   access-list 10 deny 71.204.0.0 255.255.128.0

   !-- Comcast Cable
   access-list 10 deny 75.64.0.0 255.248.0.0
   access-list 10 deny 75.72.0.0 255.252.0.0
   access-list 10 deny 75.76.0.0 255.255.0.0

   !-- Comcast Business Communications
   access-list 10 deny 75.149.228.0 255.255.252.0

   !-- Comcast Cable
   !-- 76.102.0.0 76.103.255.255
   access-list 10 deny 76.102.0.0 255.254.0.0

   !-- Comcast Cable
   access-list 10 deny 98.192.0.0 255.192.0.0

   !-- Comcast Cable
   access-list 10 deny 98.219.64.0 255.255.224.0

   !-- Comcast Florida
   access-list 10 deny 173.9.131.232 255.255.255.240

   !-- Comcast Florida
   access-list 10 deny 173.12.144.0 255.255.248.0

   !-- CIMEast Comcast Interactive Media
   access-list 10 deny 207.223.0.0 255.255.240.0

!-- group-object edgecast_ip

   !-- Edgecast
   !-- 8.5.250.0 8.5.250.255
   access-list 10 deny 8.5.250.0 255.255.255.0
  
   !-- Edgecast
   !-- 8.8.64.0 8.8.64.255
   access-list 10 deny 8.8.64.0 255.255.255.0
  
   !-- Edgecast
   !-- 8.15.15.0 8.15.15.255
   access-list 10 deny 8.15.15.0 255.255.255.0
  
   !-- Edgecast
   !-- 12.202.248.0 12.202.248.255
   access-list 10 deny 12.202.248.0 255.255.255.0
  
   !-- Edgecast
   !-- 42.22.64.0 42.22.79.255
   access-list 10 deny 42.22.64.0 255.255.248.0
   access-list 10 deny 42.22.72.0 255.255.248.0

   !-- Edgecast
   !-- 42.99.160.0 41.99.162.255
   access-list 10 deny 42.99.160.0 255.255.255.0
   access-list 10 deny 42.99.161.0 255.255.255.0
   access-list 10 deny 42.99.162.0 255.255.255.0

   !-- Limelight Networks
   !-- 68.142.64.0 68.142.127.255
   access-list 10 deny 68.142.64.0 255.255.192.0
  
   !-- Edgecast
   !-- 68.232.32.0 68.232.47.255
   access-list 10 deny 68.232.32.0 255.255.240.0
  
   !-- Edgecast
   !-- 72.21.80.0 72.21.95.255
   access-list 10 deny 72.21.80.0 255.255.240.0

   !-- Edgecast
   !-- 93.184.208.0 93.184.223.0
   access-list 10 deny 93.184.208.0 255.255.240.0

   !-- Edgecast
   !-- 108.161.240.0 108.161.255.255
   access-list 10 deny 108.161.240.0 255.255.240.0

   !-- Edgecast
   !-- 117.18.232.0 117.18.239.0
   access-list 10 deny 117.18.232.0 255.255.248.0
  
   !-- Edgecast
   !-- 117.103.183.0 117.103.183.0
   access-list 10 deny 117.103.183.0 255.255.255.0
  
   !-- Edgecast
   !-- 166.90.81.0 166.90.81.255
   access-list 10 deny 166.90.81.0 255.255.255.0

   !-- Edgecast
   !-- 198.153.190.0 198.153.196.255
   access-list 10 deny 198.153.190.0 255.255.254.0
   access-list 10 deny 198.153.192.0 255.255.252.0
   access-list 10 deny 198.153.196.0 255.255.255.0

   !-- Edgecast (Equinix IX Chicago)
   !-- 206.223.119.0 206.223.119.255
   access-list 10 deny 206.223.119.0 255.255.255.0

!-- group-object gblx_ip

   !-- Glbx Frontier
   access-list 10 deny 50.32.0.0 255.240.0.0
   access-list 10 deny 50.48.0.0 255.248.0.0

   !-- Glbx Frontier
   access-list 10 deny 64.76.0.0 255.255.0.0

   !-- Glbx Frontier
   access-list 10 deny 64.208.0.0 255.254.0.0
   access-list 10 deny 64.209.0.0 255.255.128.0

   !-- Glbx Frontier
   access-list 10 deny 64.210.0.0 255.255.128.0

   !-- Glbx Frontier
   access-list 10 deny 64.211.0.0 255.255.128.0
   access-list 10 deny 64.211.128.0 255.255.192.0
   access-list 10 deny 64.211.192.0 255.255.224.0

   !-- Glbx Frontier
   access-list 10 deny 64.212.0.0 255.248.0.0

   !-- Glbx Frontier
   access-list 10 deny 67.16.0.0 255.254.0.0

   !-- Frontier Communications
   access-list 10 deny 74.32.0.0 255.240.0.0

   !-- Glbx Frontier
   access-list 10 deny 146.82.0.0 255.255.0.0

   !-- Glbx Frontier
   access-list 10 deny 159.63.0.0 255.255.0.0

   !-- Glbx Frontier
   access-list 10 deny 162.97.0.0 255.255.0.0

   !-- Glbx Frontier
   access-list 10 deny 204.152.166.0 255.255.254.0

   !-- Glbx Frontier
   access-list 10 deny 204.245.0.0 255.255.192.0

   !-- Glbx Frontier
   access-list 10 deny 204.246.192.0 255.255.192.0

   !-- Glbx Frontier
   access-list 10 deny 206.41.0.0 255.255.224.0

   !-- Glbx Frontier
   access-list 10 deny 206.57.0.0 255.255.128.0

   !-- Glbx Frontier
   access-list 10 deny 206.132.192.0 255.255.192.0

   !-- Glbx Frontier
   access-list 10 deny 206.132.64.0 255.255.192.0

   !-- Glbx Frontier
   access-list 10 deny 206.165.0.0 255.255.0.0

   !-- Glbx Frontier
   access-list 10 deny 207.136.160.0 255.255.192.0

   !-- Glbx Frontier
   access-list 10 deny 207.138.0.0 255.255.0.0

   !-- Glbx Frontier
   access-list 10 deny 207.218.0.0 255.255.128.0
   access-list 10 deny 207.218.128.0 255.255.192.0

   !-- Glbx Frontier
   access-list 10 deny 208.48.0.0 255.255.192.0

   !-- Glbx Frontier
   access-list 10 deny 208.48.128.0 255.255.192.0
   access-list 10 deny 208.48.192.0 255.255.240.0

   !-- Glbx Frontier
   access-list 10 deny 208.48.224.0 255.255.224.0
   access-list 10 deny 208.49.0.0 255.255.0.0
   access-list 10 deny 208.50.0.0 255.255.128.0

   !-- Glbx Frontier
   access-list 10 deny 208.50.192.0 255.255.192.0
   access-list 10 deny 208.51.0.0 255.255.0.0

   !-- Glbx Frontier
   access-list 10 deny 208.178.0.0 255.255.0.0

   !-- Glbx Frontier
   access-list 10 deny 209.130.128.0 255.255.192.0
   access-list 10 deny 209.139.192.0 255.255.224.0

!-- group-object level3_ip

   !-- Level 3 Communications, Inc.
   access-list 10 deny 004.0.0.0 255.0.0.0

   !-- Level 3 Joyent
   access-list 10 deny 8.12.32.0 255.255.254.0

   !-- Level 3 Joyent
   access-list 10 deny 8.12.34.0 255.255.254.0

   !-- Level 3 Joyent
   access-list 10 deny 8.12.36.0 255.255.254.0

   !-- Level 3 Joyent
   access-list 10 deny 8.12.40.0 255.255.252.0

   !-- Level 3 Joyent
   access-list 10 deny 8.17.80.0 255.255.252.0

   !-- Level 3 Joyent
   access-list 10 deny 8.17.84.0 255.255.252.0

   !-- Level 3 Joyent
   access-list 10 deny 8.17.168.0 255.255.252.0

   !-- Level 3 Joyent
   access-list 10 deny 64.30.128.0 255.255.240.0

   !-- Level 3 Joyent
   access-list 10 deny 72.2.112.0 255.255.240.0

   !-- Level 3 Joyent
   access-list 10 deny 199.192.240.0 255.255.252.0

!-- group-object roadrunner_ip

    access-list 10 deny 24.28.0.0 255.254.0.0
    access-list 10 deny 24.24.0.0 255.252.0.0
    access-list 10 deny 24.30.128.0 255.255.192.0
    access-list 10 deny 24.30.192.0 255.255.224.0
    access-list 10 deny 24.31.64.0 255.255.192.0
    access-list 10 deny 24.31.128.0 255.255.128.0
    access-list 10 deny 24.31.32.0 255.255.224.0
    access-list 10 deny 24.33.0.0 255.255.0.0
    access-list 10 deny 24.39.0.0 255.255.0.0
    access-list 10 deny 24.56.64.0 255.255.224.0
    access-list 10 deny 24.58.0.0 255.254.0.0
    access-list 10 deny 24.73.0.0 255.255.0.0
    access-list 10 deny 24.88.0.0 255.255.0.0
    access-list 10 deny 24.90.0.0 255.255.0.0
    access-list 10 deny 24.92.0.0 255.255.128.0
    access-list 10 deny 24.92.128.0 255.255.240.0
    access-list 10 deny 24.94.0.0 255.254.0.0
    access-list 10 deny 24.93.0.0 255.255.0.0
    access-list 10 deny 24.92.192.0 255.255.192.0
    access-list 10 deny 24.92.160.0 255.255.224.0
    access-list 10 deny 24.97.0.0 255.255.0.0
    access-list 10 deny 24.103.0.0 255.255.0.0
    access-list 10 deny 24.105.128.0 255.255.192.0
    access-list 10 deny 24.106.64.0 255.255.192.0
    access-list 10 deny 24.106.128.0 255.255.128.0
    access-list 10 deny 24.123.128.0 255.255.128.0
    access-list 10 deny 24.129.128.0 255.255.192.0
    access-list 10 deny 24.136.96.0 255.255.224.0

   !-- Facebook
    access-list 10 deny 24.143.192.0 255.255.224.0

    access-list 10 deny 24.170.0.0 255.255.128.0
    access-list 10 deny 24.168.0.0 255.254.0.0
    access-list 10 deny 24.160.0.0 255.248.0.0
    access-list 10 deny 24.171.160.0 255.255.224.0
    access-list 10 deny 24.172.0.0 255.255.0.0
    access-list 10 deny 24.193.0.0 255.255.0.0
    access-list 10 deny 24.194.0.0 255.254.0.0
    access-list 10 deny 24.198.0.0 255.255.0.0
    access-list 10 deny 24.199.128.0 255.255.128.0
    access-list 10 deny 24.206.0.0 255.255.254.0
    access-list 10 deny 24.208.0.0 255.252.0.0
    access-list 10 deny 24.213.128.0 255.255.128.0
    access-list 10 deny 24.227.32.0 255.255.224.0
    access-list 10 deny 24.227.128.0 255.255.128.0
    access-list 10 deny 24.227.64.0 255.255.192.0
    access-list 10 deny 24.242.0.0 255.254.0.0
    access-list 10 deny 50.74.0.0 255.254.0.0
    access-list 10 deny 50.84.0.0 255.255.0.0
    access-list 10 deny 50.128.0.0 255.255.240.0
    access-list 10 deny 64.64.6.222 255.255.255.255
    access-list 10 deny 64.64.6.220 255.255.255.254
    access-list 10 deny 64.64.6.219 255.255.255.255
    access-list 10 deny 64.183.176.0 255.255.240.0
    access-list 10 deny 65.24.0.0 255.252.0.0
    access-list 10 deny 65.32.0.0 255.254.0.0
    access-list 10 deny 65.34.0.0 255.255.240.0
    access-list 10 deny 65.184.0.0 255.248.0.0
    access-list 10 deny 66.8.128.0 255.255.128.0
    access-list 10 deny 66.24.0.0 255.255.0.0
    access-list 10 deny 66.56.0.0 255.255.224.0
    access-list 10 deny 66.56.128.0 255.255.128.0
    access-list 10 deny 66.56.96.0 255.255.224.0
    access-list 10 deny 66.57.0.0 255.255.0.0
    access-list 10 deny 66.68.0.0 255.254.0.0
    access-list 10 deny 66.74.0.0 255.254.0.0
    access-list 10 deny 66.91.0.0 255.255.0.0
    access-list 10 deny 66.108.0.0 255.255.0.0
    access-list 10 deny 66.109.0.0 255.255.240.0
    access-list 10 deny 67.8.0.0 255.252.0.0
    access-list 10 deny 67.48.0.0 255.254.0.0
    access-list 10 deny 67.78.0.0 255.254.0.0
    access-list 10 deny 67.240.0.0 255.240.0.0
    access-list 10 deny 68.168.64.0 255.255.240.0
    access-list 10 deny 68.172.0.0 255.252.0.0
    access-list 10 deny 68.200.0.0 255.248.0.0
    access-list 10 deny 69.23.0.0 255.255.0.0
    access-list 10 deny 69.76.0.0 255.255.0.0
    access-list 10 deny 69.75.0.0 255.255.0.0
    access-list 10 deny 69.132.0.0 255.252.0.0
    access-list 10 deny 69.193.0.0 255.255.0.0
    access-list 10 deny 69.200.0.0 255.248.0.0
    access-list 10 deny 70.60.0.0 255.252.0.0
    access-list 10 deny 70.92.0.0 255.252.0.0
    access-list 10 deny 70.112.0.0 255.240.0.0
    access-list 10 deny 71.40.0.0 255.252.0.0
    access-list 10 deny 71.64.0.0 255.240.0.0
    access-list 10 deny 72.43.0.0 255.255.0.0
    access-list 10 deny 72.45.128.0 255.255.128.0
    access-list 10 deny 72.128.0.0 255.248.0.0
    access-list 10 deny 72.176.0.0 255.240.0.0
    access-list 10 deny 72.224.0.0 255.248.0.0
    access-list 10 deny 74.64.0.0 255.240.0.0
    access-list 10 deny 74.218.0.0 255.254.0.0
    access-list 10 deny 75.80.0.0 255.248.0.0
    access-list 10 deny 75.176.0.0 255.240.0.0
    access-list 10 deny 76.80.0.0 255.240.0.0
    access-list 10 deny 76.166.0.0 255.254.0.0
    access-list 10 deny 96.10.0.0 255.254.0.0
    access-list 10 deny 97.76.0.0 255.252.0.0
    access-list 10 deny 97.96.0.0 255.254.0.0
    access-list 10 deny 97.106.0.0 255.248.0.0
    access-list 10 deny 98.0.0.0 255.255.0.0
    access-list 10 deny 98.24.0.0 255.240.0.0
    access-list 10 deny 98.100.0.0 255.248.0.0
    access-list 10 deny 98.120.0.0 255.252.0.0
    access-list 10 deny 98.156.0.0 255.252.0.0
    access-list 10 deny 98.152.0.0 255.254.0.0
    access-list 10 deny 98.144.0.0 255.252.0.0
    access-list 10 deny 107.8.0.0 255.248.0.0
    access-list 10 deny 173.88.0.0 255.248.0.0
    access-list 10 deny 173.168.0.0 255.248.0.0
    access-list 10 deny 174.96.0.0 255.248.0.0
    access-list 10 deny 184.56.0.0 255.240.0.0
    access-list 10 deny 184.54.0.0 255.252.0.0
    access-list 10 deny 184.74.0.0 255.254.0.0
    access-list 10 deny 184.75.0.0 255.255.0.0
    access-list 10 deny 184.92.0.0 255.255.128.0
    access-list 10 deny 184.88.0.0 255.254.0.0
    access-list 10 deny 184.152.0.0 255.252.0.0
    access-list 10 deny 204.210.0.0 255.254.0.0
    access-list 10 deny 208.105.0.0 255.255.0.0
    access-list 10 deny 208.125.0.0 255.255.0.0

   !-- LinkedIn and Adobe PDF
   !-- 209.18.32.0 209.18.47.255
    access-list 10 deny 209.18.32.0 255.255.240.0

!-- group-object afrinic_ip

   !-- Administered by AfriNIC
   access-list 10 deny 154.0.0.0 255.0.0.0

   !-- Administered by AfriNIC
   !-- 196.0.0.0 255.0.0.0
    access-list 10 deny 196.0.0.0 255.128.0.0
    access-list 10 deny 196.128.0.0 255.192.0.0
    access-list 10 deny 196.192.0.0 255.240.0.0
    access-list 10 deny 196.208.0.0 255.248.0.0
    access-list 10 deny 196.216.0.0 255.255.254.0
    access-list 10 deny 196.216.2.0 255.255.255.255

     !-- AfriNIC.net
     !-- 196.216.2.1

    access-list 10 deny 196.216.2.2 255.255.255.254
    access-list 10 deny 196.216.2.4 255.255.255.252
    access-list 10 deny 196.216.2.8 255.255.255.248
    access-list 10 deny 196.216.2.16 255.255.255.240
    access-list 10 deny 196.216.2.32 255.255.255.224
    access-list 10 deny 196.216.2.64 255.255.255.192
    access-list 10 deny 196.216.2.128 255.255.255.128
    access-list 10 deny 196.216.3.0 255.255.128.0
    access-list 10 deny 196.216.4.0 255.255.255.252
    access-list 10 deny 196.216.8.0 255.255.255.248
    access-list 10 deny 196.216.16.0 255.255.255.240
    access-list 10 deny 196.216.32.0 255.255.255.224
    access-list 10 deny 196.216.64.0 255.255.255.192
    access-list 10 deny 196.216.128.0 255.255.255.128
    access-list 10 deny 196.217.0.0 255.255.0.0
    access-list 10 deny 196.218.0.0 255.254.0.0
    access-list 10 deny 196.220.0.0 255.252.0.0
    access-list 10 deny 196.224.0.0 255.224.0.0
 
   !-- AfriNIC
   access-list 10 deny 041.0.0.0 255.0.0.0

   !-- AfriNIC
   access-list 10 deny 102.0.0.0 255.0.0.0

   !-- AfriNIC
   access-list 10 deny 105.0.0.0 255.0.0.0

   !-- Administered by ARIN
   !-- 137.0.0.0 255.0.0.0

    access-list 10 deny 137.0.0.0 255.192.0.0
    access-list 10 deny 137.63.0.0 255.248.0.0
    access-list 10 deny 137.72.0.0 255.252.0.0
    access-list 10 deny 137.76.0.0 255.254.0.0
 
    !--- space.jpl.nasa.gov
    !-- 137.78.0.0 255.254.0.0

    access-list 10 deny 137.80.0.0 255.128.0.0
    access-list 10 deny 137.80.0.0 255.240.0.0
    access-list 10 deny 137.96.0.0 255.224.0.0
    access-list 10 deny 137.128.0.0 255.128.0.0

   !-- AfriNIC
   access-list 10 deny 197.0.0.0 255.0.0.0

!-- group-object apnic_ip

   !-- Administered by APNIC
   access-list 10 deny 043.0.0.0 255.0.0.0
  
   !-- Administered by APNIC
   access-list 10 deny 133.0.0.0 255.0.0.0
  
   !-- Administered by APNIC
   access-list 10 deny 150.0.0.0 255.0.0.0
  
   !-- Administered by APNIC
   access-list 10 deny 153.0.0.0 255.0.0.0
  
   !-- Administered by APNIC
   access-list 10 deny 163.0.0.0 255.0.0.0
  
   !-- Administered by APNIC
   !-- 171.0.0.0 171.255.255.255
   !-- 171.0.0.0 255.0.0.0

    access-list 10 deny 171.0.0.0 255.128.0.0

     !-- Bank of America
     !-- 171.128.0.0 255.192.0.0
     !-- 171.192.0.0  255.248.0.0
     !-- 171.200.0.0 255.252.0.0
     !-- 171.204.0.0 255.254.0.0
     !-- 171.206.0.0 255.255.0.0

    access-list 10 deny 171.207.0.0 255.255.0.0
    access-list 10 deny 171.208.0.0 255.240.0.0
    access-list 10 deny 171.224.0.0 255.224.0.0

   !-- APNIC
   access-list 10 deny 001.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 014.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 027.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 036.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 039.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 042.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 049.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 058.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 059.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 060.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 061.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 101.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 103.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 106.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 110.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 111.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 112.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 113.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 114.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 115.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 116.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 117.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 118.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 119.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 120.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 121.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 122.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 123.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 124.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 125.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 126.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 175.0.0.0 255.0.0.0
  
   !-- APNIC
   !-- 180.0.0.0 255.0.0.0

    access-list 10 deny 180.0.0.0 255.128.0.0
    access-list 10 deny 180.128.0.0 255.192.0.0
    access-list 10 deny 180.192.0.0 255.240.0.0
    access-list 10 deny 180.208.0.0 255.248.0.0
    access-list 10 deny 180.216.0.0 255.252.0.0
    access-list 10 deny 180.220.0.0 255.254.0.0
    access-list 10 deny 180.222.0.0 255.255.128.0
    access-list 10 deny 180.222.128.0 255.255.224.0
    access-list 10 deny 180.222.160.0 255.255.240.0
    access-list 10 deny 180.222.176.0 255.255.255.0
    access-list 10 deny 180.222.177.0 255.255.255.192
    access-list 10 deny 180.222.177.64 255.255.255.224
    access-list 10 deny 180.222.177.96 255.255.255.255

     !-- system.GlobalSign.com
     !-- 180.222.177.97

    access-list 10 deny 180.222.177.98 255.255.255.254
    access-list 10 deny 180.222.177.100 255.255.255.252
    access-list 10 deny 180.222.177.104 255.255.255.248
    access-list 10 deny 180.222.177.112 255.255.255.240
    access-list 10 deny 180.222.177.128 255.255.255.128
    access-list 10 deny 180.222.178.0 255.255.254.0
    access-list 10 deny 180.222.180.0 255.255.252.0
    access-list 10 deny 180.222.184.0 255.255.248.0
    access-list 10 deny 180.222.192.0 255.255.192.0
    access-list 10 deny 180.223.0.0 255.255.0.0
    access-list 10 deny 180.224.0.0 255.224.0.0

   !-- APNIC
   access-list 10 deny 182.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 183.0.0.0 255.0.0.0
  
   !-- APNIC

   !-- 202.0.0.0 202.255.255.255
   !-- 202.0.0.0 255.0.0.0

    access-list 10 deny 202.0.0.0 255.248.0.0
    access-list 10 deny 202.8.0.0 255.252.0.0
    access-list 10 deny 202.12.0.0 255.255.240.0
    access-list 10 deny 202.12.16.0 255.255.248.0
    access-list 10 deny 202.12.24.0 255.255.252.0

     !-- APNIC.net
     !-- 202.12.28.0 255.255.254.0

    access-list 10 deny 202.12.30.0 255.255.254.0
    access-list 10 deny 202.12.32.0 255.255.224.0
    access-list 10 deny 202.12.64.0 255.255.192.0
    access-list 10 deny 202.12.128.0 255.255.128.0
    access-list 10 deny 202.13.0.0 255.255.0.0
    access-list 10 deny 202.14.0.0 255.254.0.0
    access-list 10 deny 202.16.0.0 255.240.0.0
    access-list 10 deny 202.32.0.0 255.224.0.0
    access-list 10 deny 202.64.0.0 255.192.0.0
    access-list 10 deny 202.128.0.0 255.128.0.0
 
  
   !-- APNIC
   access-list 10 deny 203.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 210.0.0.0 255.0.0.0
  
   !-- APNIC
   !-- 211.0.0.0 255.0.0.0

     !-- alphassl.com
     !-- 211.0.0.0 255.248.0.0

    access-list 10 deny 211.8.0.0 255.248.0.0
    access-list 10 deny 211.16.0.0 255.240.0.0
    access-list 10 deny 211.32.0.0 255.224.0.0
    access-list 10 deny 211.64.0.0 255.192.0.0
    access-list 10 deny 211.128.0.0 255.128.0.0
  
   !-- APNIC
   access-list 10 deny 218.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 219.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 220.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 221.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 222.0.0.0 255.0.0.0
  
   !-- APNIC
   access-list 10 deny 223.0.0.0 255.0.0.0

!-- group-object lacnic_ip

   !-- Administered by LACNIC
   access-list 10 deny 191.0.0.0 255.0.0.0

   !-- LACNIC
   access-list 10 deny 177.0.0.0 255.0.0.0

   !-- LACNIC
   access-list 10 deny 179.0.0.0 255.0.0.0

   !-- LACNIC
   access-list 10 deny 181.0.0.0 255.0.0.0

   !-- LACNIC
   access-list 10 deny 186.0.0.0 255.0.0.0

   !-- LACNIC
   access-list 10 deny 187.0.0.0 255.0.0.0

   !-- LACNIC
   access-list 10 deny 189.0.0.0 255.0.0.0

   !-- LACNIC
   access-list 10 deny 190.0.0.0 255.0.0.0

   !-- LACNIC
   !-- 200.0.0.0 255.0.0.0

    access-list 10 deny 200.0.0.0 255.254.0.0
    access-list 10 deny 200.2.0.0 255.255.0.0
    access-list 10 deny 200.3.0.0 255.255.248.0
    access-list 10 deny 200.3.8.0 255.255.252.0
    access-list 10 deny 200.3.12.0 255.255.254.0
    access-list 10 deny 200.3.14.0 255.255.255.248
    access-list 10 deny 200.3.14.8 255.255.255.254

     !-- LacNIC.net
     !-- 200.3.14.10

    access-list 10 deny 200.3.14.11 255.255.255.255
    access-list 10 deny 200.3.14.12 255.255.255.252
    access-list 10 deny 200.3.14.16 255.255.255.240
    access-list 10 deny 200.3.14.32 255.255.255.224
    access-list 10 deny 200.3.14.64 255.255.255.192
    access-list 10 deny 200.3.14.128 255.255.255.128
    access-list 10 deny 200.3.15.0 255.255.240.0
    access-list 10 deny 200.3.16.0 255.255.240.0
    access-list 10 deny 200.3.32.0 255.255.224.0
    access-list 10 deny 200.3.64.0 255.255.192.0
    access-list 10 deny 200.3.128.0 255.255.128.0
    access-list 10 deny 200.4.0.0 255.252.0.0
    access-list 10 deny 200.8.0.0 255.248.0.0
    access-list 10 deny 200.16.0.0 255.240.0.0
    access-list 10 deny 200.32.0.0 255.224.0.0
    access-list 10 deny 200.64.0.0 255.192.0.0
    access-list 10 deny 200.128.0.0 255.128.0.0

   !-- LACNIC
   access-list 10 deny 201.0.0.0 255.0.0.0

!-- group-object ripe_ip

   !-- UK Government Dept for Work and Pensions
   access-list 10 deny 25.0.0.0 255.0.0.0

   !-- UK Ministry of Defence [sic]
   access-list 10 deny 51.0.0.0 255.0.0.0

   !-- Administered by RIPE NCC
   access-list 10 deny 141.0.0.0 255.0.0.0

   !-- Administered by RIPE NCC
   access-list 10 deny 145.0.0.0 255.0.0.0

   !-- Administered by RIPE NCC
   access-list 10 deny 151.0.0.0 255.0.0.0

   !-- Administered by RIPE NCC
   access-list 10 deny 188.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 002.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 005.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 031.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 037.0.0.0 255.0.0.0

   !-- RIPE NCC
   !-- 046.0.0.0 255.0.0.0

    access-list 10 deny 46.0.0.0 255.128.0.0
    access-list 10 deny 46.128.0.0 255.192.0.0
    access-list 10 deny 46.192.0.0 255.224.0.0
    access-list 10 deny 46.224.0.0 255.240.0.0
    access-list 10 deny 46.240.0.0 255.248.0.0
    access-list 10 deny 46.248.0.0 255.252.0.0
    access-list 10 deny 46.252.0.0 255.255.0.0
    access-list 10 deny 46.253.0.0 255.254.0.0
    access-list 10 deny 46.255.0.0 255.255.192.0
    access-list 10 deny 46.255.64.0 255.255.224.0
    access-list 10 deny 46.255.96.0 255.255.240.0
    access-list 10 deny 46.255.112.0 255.255.248.0

     !-- Robtex.com
     !-- 46.255.120.0 255.255.255.0

    access-list 10 deny 46.255.121.0 255.255.255.0
    access-list 10 deny 46.255.122.0 255.255.254.0
    access-list 10 deny 46.255.122.0 255.255.252.0
    access-list 10 deny 46.255.122.0 255.255.128.0

   !-- RIPE NCC
   access-list 10 deny 062.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 077.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 078.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 079.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 080.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 081.0.0.0 255.0.0.0

   !-- RIPE NCC
   !-- 082.0.0.0 255.0.0.0

    access-list 10 deny 82.0.0.0 255.128.0.0
    access-list 10 deny 82.128.0.0 255.252.0.0
    access-list 10 deny 82.132.0.0 255.254.0.0
    access-list 10 deny 82.134.0.0 255.255.0.0
    access-list 10 deny 82.135.0.0 255.255.248.0

     !-- OpenSPF.org
     !-- 82.135.8.0 255.255.254.0

    access-list 10 deny 82.135.10.0 255.255.254.0
    access-list 10 deny 82.135.12.0 255.255.252.0
    access-list 10 deny 82.135.16.0 255.255.240.0
    access-list 10 deny 82.135.32.0 255.255.224.0
    access-list 10 deny 82.135.64.0 255.255.192.0
    access-list 10 deny 82.135.128.0 255.255.128.0
    access-list 10 deny 82.136.0.0 255.248.0.0
    access-list 10 deny 82.144.0.0 255.240.0.0
    access-list 10 deny 82.160.0.0 255.224.0.0
    access-list 10 deny 82.192.0.0 255.192.0.0

   !-- RIPE NCC
   !-- 083.0.0.0 255.0.0.0

    access-list 10 deny 083.0.0.0 255.128.0.0
    access-list 10 deny 083.128.0.0 255.248.0.0
    access-list 10 deny 083.136.0.0 255.252.0.0
    access-list 10 deny 083.140.0.0 255.255.0.0

     !-- Aixit DD-WRT.com
     !-- 83.141.4.210
        !-- 083.141.0.0 255.255.192.0

    access-list 10 deny 083.141.64.0 255.255.192.0
    access-list 10 deny 083.141.128.0 255.255.128.0
    access-list 10 deny 083.142.0.0 255.254.0.0
    access-list 10 deny 083.144.0.0 255.240.0.0
    access-list 10 deny 083.160.0.0 255.224.0.0
    access-list 10 deny 083.192.0.0 255.192.0.0

   !-- RIPE NCC
   access-list 10 deny 084.0.0.0 255.0.0.0

   !-- RIPE NCC
   !-- 085.0.0.0 255.0.0.0

    access-list 10 deny 085.0.0.0 255.128.0.0
    access-list 10 deny 085.128.0.0 255.192.0.0
    access-list 10 deny 085.192.0.0 255.224.0.0
    access-list 10 deny 085.224.0.0 255.240.0.0
    access-list 10 deny 085.240.0.0 255.248.0.0
    access-list 10 deny 085.248.0.0 255.252.0.0
    access-list 10 deny 085.252.0.0 255.254.0.0
    access-list 10 deny 085.254.0.0 255.255.0.0
    access-list 10 deny 085.255.0.0 255.255.240.0

  !-- Element 5
  !-- 085.255.16.0 85.255.31.255
  
    access-list 10 deny 085.255.32.0 255.255.224.0
    access-list 10 deny 085.255.64.0 255.255.192.0
    access-list 10 deny 085.255.127.0 255.255.127.0

   !-- RIPE NCC
   access-list 10 deny 086.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 087.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 088.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 089.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 090.0.0.0 255.0.0.0

   !-- RIPE NCC
   !-- 091.0.0.0 255.0.0.0

    access-list 10 deny 91.0.0.0 255.128.0.0
    access-list 10 deny 91.128.0.0 255.192.0.0
    access-list 10 deny 91.128.192.0 255.252.0.0
    access-list 10 deny 91.196.0.0 255.254.0.0
    access-list 10 deny 91.198.0.0 255.255.0.0
    access-list 10 deny 91.199.0.0 255.255.128.0
    access-list 10 deny 91.199.128.0 255.255.192.0
    access-list 10 deny 91.199.192.0 255.255.240.0
    access-list 10 deny 91.199.208.0 255.255.252.0

     !-- Comodo
     !-- 91.199.212.0 - 91.199.212.255
     !-- 91.199.212.0 255.255.255.0

    access-list 10 deny 91.199.213.0 255.255.255.0
    access-list 10 deny 91.199.214.0 255.255.254.0
    access-list 10 deny 91.199.216.0 255.255.248.0
    access-list 10 deny 91.199.224.0 255.255.224.0
    access-list 10 deny 91.200.0.0 255.248.0.0
    access-list 10 deny 91.208.0.0 255.240.0.0
    access-list 10 deny 91.224.0.0 255.224.0.0

   !-- RIPE NCC
   access-list 10 deny 092.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 093.0.0.0 255.0.0.0

   !-- RIPE NCC
   !-- access-list 10 deny 094.0.0.0 255.0.0.0

    access-list 10 deny 94.0.0.0 255.128.0.0
    access-list 10 deny 94.128.0.0 255.192.0.0
    access-list 10 deny 94.192.0.0 255.224.0.0
    access-list 10 deny 94.224.0.0 255.240.0.0
    access-list 10 deny 94.240.0.0 255.252.0.0
    access-list 10 deny 94.244.0.0 255.255.0.0
    access-list 10 deny 94.245.0.0 255.255.192.0

     !-- WPA.one.Microsoft.com
     !-- 94.245.126.107
     !-- 94.245.64.0 94.245.127.255
     !-- 94.245.64.0 255.255.192.0

    access-list 10 deny 94.246.128.0 255.255.128.0
    access-list 10 deny 94.247.0.0 255.255.0.0
    access-list 10 deny 94.248.0.0 255.248.0.0

   !-- RIPE NCC
   access-list 10 deny 095.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 109.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 176.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 178.0.0.0 255.0.0.0

   !-- RIPE NCC
   access-list 10 deny 185.0.0.0 255.0.0.0

   !-- RIPE NCC
   !-- RIPE.net
   !-- 193.0.0.0 255.0.0.0
 
     !-- RIPE.net
     !-- 193.0.0.0 193.0.7.255
     !-- 193.0.0.0 255.255.248.0

    access-list 10 deny 193.0.8.0 255.255.248.0
    access-list 10 deny 193.0.16.0 255.255.240.0
    access-list 10 deny 193.0.32.0 255.255.224.0
    access-list 10 deny 193.0.64.0 255.255.192.0
    access-list 10 deny 193.0.128.0 255.255.128.0
    access-list 10 deny 193.1.0.0 255.192.0.0
    access-list 10 deny 193.64.0.0 255.224.0.0
    access-list 10 deny 193.96.0.0 255.248.0.0
    access-list 10 deny 193.104.0.0 255.255.128.0

    access-list 10 deny 193.104.128.0 255.255.192.0
    access-list 10 deny 193.104.192.0 255.255.240.0
    access-list 10 deny 193.104.208.0 255.255.252.0
    access-list 10 deny 193.104.212.0 255.255.254.0
    access-list 10 deny 193.104.214.0 255.255.255.0

     !-- get.adobe.com
     !-- 193.104.215.0 255.255.255.0

    access-list 10 deny 193.104.216.0 255.255.248.0
    access-list 10 deny 193.104.224.0 255.255.224.0
    access-list 10 deny 193.105.0.0 255.255.0.0
    access-list 10 deny 193.106.0.0 255.254.0.0
    access-list 10 deny 193.108.0.0 255.252.0.0
    access-list 10 deny 193.112.0.0 255.240.0.0
    access-list 10 deny 193.128.0.0 255.128.0.0

   !-- RIPE NCC
   access-list 10 deny 194.0.0.0 255.0.0.0

   !-- RIPE NCC
   !-- 195.0.0.0 255.0.0.0

    access-list 10 deny 195.0.0.0 255.128.0.0
    access-list 10 deny 195.127.0.0 255.224.0.0
    access-list 10 deny 195.160.0.0 255.248.0.0
    access-list 10 deny 195.168.0.0 255.255.0.0
    access-list 10 deny 195.169.0.0 255.255.128.0
    access-list 10 deny 195.169.128.0 255.255.240.0 

     !-- RIPE.net
     !-- 195.169.144.0 195.169.144.255
     !-- 195.169.144.0 255.255.255.0

    access-list 10 deny 195.169.145.0 255.255.255.0
    access-list 10 deny 195.169.146.0 255.255.254.0
    access-list 10 deny 195.169.148.0 255.255.252.0
    access-list 10 deny 195.169.152.0 255.255.248.0
    access-list 10 deny 195.169.160.0 255.255.224.0
    access-list 10 deny 195.169.192.0 255.255.192.0
    access-list 10 deny 195.170.0.0 255.254.0.0
    access-list 10 deny 195.172.0.0 255.252.0.0
    access-list 10 deny 195.176.0.0 255.240.0.0
    access-list 10 deny 195.192.0.0 255.192.0.0

   !-- RIPE NCC
   access-list 10 deny 212.0.0.0 255.0.0.0

   !-- RIPE NCC
   !-- netmedia1.com
   !-- 213.0.0.0 255.0.0.0

    access-list 10 deny 213.0.0.0 255.224.0.0
    access-list 10 deny 213.32.0.0 255.252.0.0
    access-list 10 deny 213.36.0.0 255.254.0.0
    access-list 10 deny 213.38.0.0 255.255.0.0
    access-list 10 deny 213.39.0.0 255.255.192.0
    access-list 10 deny 213.39.64.0 255.255.248.0
    access-list 10 deny 213.39.72.0 255.255.254.0
    access-list 10 deny 213.39.74.0 255.255.255.128
    access-list 10 deny 213.39.74.128 255.255.255.192
    access-list 10 deny 213.39.74.192 255.255.255.248
    access-list 10 deny 213.39.74.200 255.255.255.255

     !-- netmedia1.com
     !-- 213.39.74.201

    access-list 10 deny 213.39.74.202 255.255.255.254
    access-list 10 deny 213.39.74.204 255.255.255.252
    access-list 10 deny 213.39.74.208 255.255.255.240
    access-list 10 deny 213.39.74.224 255.255.255.224
    access-list 10 deny 213.39.75.0 255.255.255.0
    access-list 10 deny 213.39.76.0 255.255.252.0
    access-list 10 deny 213.39.80.0 255.255.240.0
    access-list 10 deny 213.39.96.0 255.255.224.0
    access-list 10 deny 213.39.128.0 255.255.128.0
    access-list 10 deny 213.40.0.0 255.255.248.0
    access-list 10 deny 213.48.0.0 255.255.240.0
    access-list 10 deny 213.64.0.0 255.255.192.0

   !-- RIPE NCC
   !-- 217.0.0.0 255.0.0.0

    access-list 10 deny 217.0.0.0 255.192.0.0
    access-list 10 deny 217.64.0.0 255.224.0.0
    access-list 10 deny 217.96.0.0 255.248.0.0
    access-list 10 deny 217.104.0.0 255.252.0.0
    access-list 10 deny 217.108.0.0 255.255.128.0
    access-list 10 deny 217.108.128.0 255.255.224.0
    access-list 10 deny 217.108.160.0 255.255.252.0
    access-list 10 deny 217.108.164.0 255.255.255.0

     !-- Globalsign.com
     !-- 217.108.165.0 255.255.255.0

    access-list 10 deny 217.108.166.0 255.255.254.0
    access-list 10 deny 217.108.168.0 255.255.248.0
    access-list 10 deny 217.108.176.0 255.255.240.0
    access-list 10 deny 217.108.192.0 255.255.192.0
    access-list 10 deny 217.109.0.0 255.255.0.0
    access-list 10 deny 217.110.0.0 255.254.0.0
    access-list 10 deny 217.112.0.0 255.240.0.0
    access-list 10 deny 217.112.0.0 255.240.0.0
    access-list 10 deny 217.128.0.0 255.128.0.0

!-- group-object iana_ip

   !-- Multicast
   access-list 10 deny 0.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 224.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 225.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 226.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 227.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 228.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 229.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 230.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 231.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 232.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 233.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 234.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 235.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 236.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 237.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 238.0.0.0 255.0.0.0
   !-- Multicast
   access-list 10 deny 239.0.0.0 255.0.0.0

   !-- Future use
   access-list 10 deny 240.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 241.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 242.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 243.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 244.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 245.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 246.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 247.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 248.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 249.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 250.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 251.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 252.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 253.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 254.0.0.0 255.0.0.0
   !-- Future use
   access-list 10 deny 255.0.0.0 255.0.0.0

!-- group-object misc_restricted_ip

   !-- Amazon.com -- not the main IP
   !-- 205.251.192.0 205.251.255.255
   access-list 10 deny 205.251.192.0 255.255.255.0

   !-- Mountain Cablevision
   !-- 24.215.48.0
   access-list 10 deny 24.215.48.0 255.255.248.0

   !-- Shaw Communications
   !-- 24.76.0.0 24.79.255.255
   access-list 10 deny 24.76.0.0 255.252.0.0

   !-- Softlayer
   !-- 52.22.0.0 50.23.255.255
   access-list 10 deny 50.22.0.0 255.254.0.0

   !-- XO Communications
   !-- 64.244.0.0 64.245.255.255
   access-list 10 deny 64.244.0.0 255.254.0.0

   !-- Shaw Communications
   !-- 68.144.0.0 - 68.151.255.255
   access-list 10 deny 64.144.0.0 255.248.0.0

   !-- SBC ATT
   !-- 69.223.176.0 69.223.191.255
   access-list 10 deny 69.223.176.0 255.255.248.0

   !-- Sympatico
   !-- 69.156.92.0 - 69.156.95.255
   access-list 10 deny 69.156.92.0 255.255.252.0

   !-- QWest Communications
   !-- 71.208.0.0 71.223.255.255
   access-list 10 deny 71.208.0.0 255.240.0.0

   !-- Rackspace Hosting
   !-- 72.3.128.0 72.3.255.255
   access-list 10 deny 72.3.128.0 255.255.128.0

   !-- Clearwire Communications
   !-- 74.60.0.0 74.61.255.255
   access-list 10 deny 74.60.0.0 255.254.0.0

   !-- Charter Communications
   !-- 75.132.0.0 75.132.255.255
   access-list 10 deny 75.132.0.0 255.255.0.0

   !-- Charter Communications
   !-- 75.132.0.0 75.132.255.255
   access-list 10 deny 75.132.0.0 255.255.0.0

   !-- Verizon
   !-- 74.96.0.0 74.111.255.255
   access-list 10 deny 74.96.0.0 255.240.0.0

   !-- QWest
   !-- 75.160.0.0 75.175.255.255
   access-list 10 deny 75.160.0.0 255.240.0.0

   !-- Charter Communications
   !-- 97.80.0.0 97.95.255.255
   access-list 10 deny 97.80.0.0 255.240.0.0

   !-- Cox Communications
   !-- 98.183.0.0 98.183.63.255
   access-list 10 deny 98.183.0.0 255.255.192.0

   !-- Oregon State System
   !--  of Higher Education
   !-- 140.211.0.0 140.211.255.255
   access-list 10 deny 140.211.0.0 255.255.0.0

   !-- SliceHost 184.106.177.138 03032012 09:26:47
   !-- 184.106.176.0 184.106.191.255
   access-list 10 deny 184.106.176.0 255.255.240.255

   !-- XO Communications
   !-- 216.156.0.0 216.156.255.255
   access-list 10 deny 216.156.0.0 255.255.0.0

   !-- Bell Canada
   !-- 174.89.68.0 174.89.71.255
   access-list 10 deny 174.89.68.0 255.255.252.0

   !-- Plastics Inc Formed
   access-list 10 deny 173.220.11.184  255.255.248.0

   !-- Rackspace Hosting
   !-- 204.232.128.0 204.232.255.255

    access-list 10 deny 204.232.128.0 255.255.192.0
    access-list 10 deny 204.232.192.0 255.255.224.0
    access-list 10 deny 204.232.224.0 255.255.240.0
    access-list 10 deny 204.232.240.0 255.255.254.0
    access-list 10 deny 204.232.242.0 255.255.255.128
    access-list 10 deny 204.232.242.128 255.255.255.192
    access-list 10 deny 204.232.242.192 255.255.255.224
    access-list 10 deny 204.232.242.224 255.255.255.240
    access-list 10 deny 204.232.242.240 255.255.255.248
    access-list 10 deny 204.232.242.248 255.255.255.254
    access-list 10 deny 204.232.242.250 255.255.255.255

     !-- Onelook.com
     !-- 204.232.242.251

    access-list 10 deny 204.232.242.252 255.255.255.252
    access-list 10 deny 204.232.243.0 255.255.255.0
    access-list 10 deny 204.232.244.0 255.255.252.0
    access-list 10 deny 204.232.248.0 255.255.248.0

   !-- Secured Servers
   !-- 184.95.32.0 184.95.63.255
   access-list 10 deny 184.95.32.0 255.255.224.0

   !-- State of South Carolina
   !-- 207.232.128.0 207.232.255.255
   access-list 10 deny 207.232.128.0 255.255.128.0

   !-- Software Development Corporation
   !-- 204.238.82.0 204.238.82.255
   access-list 10 deny 207.232.128.0 255.255.255.0

   !-- Quantcast
   !-- 64.94.107.0 64.94.107.255
   access-list 10 deny 64.94.107.0 255.255.255.0

   !-- Webair
   !-- 174.137.128.0 174.137.191.255
   access-list 10 deny 174.137.128.0 255.255.192.0

   access-list 10 permit any

ip http access-class 10

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define outbound connection allowed IPs
!--    allowed_out_ip object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network allowed_out_ip

object-group network allowed_out_ip

 group-object unrouteable_ip
 group-object arin_ip
 group-object akamai_ip

 !-- APNIC.net
 !-- 202.12.28.0 - 202.12.29.255
 202.12.28.0 255.255.254.0

 !-- AfriNIC.net
 196.216.2.1 255.255.255.255

 !-- LacNIC.net
 200.3.14.10 255.255.255.255

 !-- RIPE.net
 !-- 193.0.0.0 193.0.7.255
 193.0.0.0 255.255.248.0

 !-- RIPE.net
 !-- 195.169.144.0 195.169.144.255
 195.169.144.0 255.255.255.0

 !-- get.adobe.com
 193.104.215.66 255.255.255.255

 !-- alphassl.com
 211.0.0.0 255.248.0.0

 !-- Bank of America
 171.128.0.0 255.192.0.0
 171.192.0.0  255.248.0.0
 171.200.0.0 255.252.0.0
 171.204.0.0 255.254.0.0
 171.206.0.0 255.255.0.0

 !-- Comodo
 !-- 91.199.212.0 - 91.199.212.255
 91.199.212.0 255.255.255.0

 !-- DD-WRT.com
 83.141.4.210 255.255.255.255

 !-- Element 5
 !-- 085.255.16.0 85.255.31.255
 085.255.16.0 255.255.240.0

 !-- GlobalSign
 180.222.177.97 255.255.255.255

 !-- Globalsign.com
 217.108.165.0 255.255.255.0

 !-- WPA.one.Microsoft.com
 !-- 94.245.126.107
 !-- 94.245.64.0 94.245.127.255
 94.245.64.0 255.255.192.0
 
 !--- space.jpl.nasa.gov
 137.78.0.0 255.254.0.0

 !-- OpenSSL
 !-- 194.97.152.128 194.97.152.191
 194.97.152.128 255.255.255.192

 !-- netmedia1.com
 213.39.74.201 255.255.255.255

 !-- OneLook.com
 204.232.242.251 255.255.255.255

 !-- OpenSPF.org
 !-- Haiberg Net
 !-- 82.135.8.0 - 82.135.9.255
 82.135.8.0 255.255.254.0

 !-- Robtex.com
 46.255.120.0 255.255.255.0

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define inbound connection allowed IPs
!--    allowed_in_ip object-group
!--  Warning: This could be vulnerable to IP-spoofing and
!--    loose source routing hacking techniques.
!-- 
!--  Use only if this is not the outermost router.
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group network allowed_in_ip

object-group network allowed_in_ip

 !-- No connections originating from outside are
 !-- by default allowed in by this script

 !-- WPA.one.Microsoft.com
 !-- 94.245.126.107
 !-- 94.245.64.0 94.245.127.255
 !-- 94.245.64.0 255.255.192.0

 !-- Remove comment indicator to enable example
 !-- group-object unrouteable_ip

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!--  Drop unwanted IP protocols and non-IP protocols as Cisco is able.
!--    210 (protocol) access-group
!--    110 (port) access-group
!--   Class: not_allowed_class
!--   Class: inspect_not_allowed
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete existing class-maps and access-list and start over
!
no class-map inspect_not_allowed
no class-map not_allowed_class
no access-list 210
no access-list 130

 

 

!-- HOPOPT IPv6 Hop-by-Hop Option
access-list 210 deny 0X0 0xFFFF

!-- IGMP Internet Group Management
access-list 210 deny 0X2 0xFFFF
!-- GGP  Gateway-to-Gateway
access-list 210 deny 0X3 0xFFFF
!-- IPv4 IPv4 encapsulation
access-list 210 deny 0X4 0xFFFF
!-- ST Stream
access-list 210 deny 0X5 0xFFFF

!-- CBT  CBT
access-list 210 deny 0X7 0xFFFF
!-- EGP  Exterior Gateway Protocol
access-list 210 deny 0X8 0xFFFF
!-- IGP  any private interior gateway (used by [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X9 0xFFFF
!-- BBN-RCC-MON  BBN RCC Monitoring
access-list 210 deny 0XA 0xFFFF
!-- NVP-II Network Voice Protocol
access-list 210 deny 0XB 0xFFFF
!-- PUP  PUP
access-list 210 deny 0XC 0xFFFF
!-- ARGUS  ARGUS
access-list 210 deny 0XD 0xFFFF
!-- EMCON  EMCON
access-list 210 deny 0XE 0xFFFF
!-- XNET Cross Net Debugger
access-list 210 deny 0XF 0xFFFF
!-- CHAOS  Chaos
access-list 210 deny 0X10 0xFFFF

!-- MUX  Multiplexing
access-list 210 deny 0X12 0xFFFF
!-- DCN-MEAS DCN Measurement Subsystems
access-list 210 deny 0X13 0xFFFF
!-- HMP  Host Monitoring
access-list 210 deny 0X14 0xFFFF
!-- PRM  Packet Radio Measurement
access-list 210 deny 0X15 0xFFFF
!-- XNS-IDP  XEROX NS IDP
access-list 210 deny 0X16 0xFFFF
!-- TRUNK-1  Trunk-1
access-list 210 deny 0X17 0xFFFF
!-- TRUNK-2  Trunk-2
access-list 210 deny 0X18 0xFFFF
!-- LEAF-1 Leaf-1
access-list 210 deny 0X19 0xFFFF
!-- LEAF-2 Leaf-2
access-list 210 deny 0X1A 0xFFFF
!-- RDP  Reliable Data Protocol
access-list 210 deny 0X1B 0xFFFF
!-- IRTP Internet Reliable Transaction
access-list 210 deny 0X1C 0xFFFF
!-- ISO-TP4  ISO Transport Protocol Class 4
access-list 210 deny 0X1D 0xFFFF
!-- NETBLT Bulk Data Transfer Protocol
access-list 210 deny 0X1E 0xFFFF
!-- MFE-NSP  MFE Network Services Protocol
access-list 210 deny 0X1F 0xFFFF
!-- MERIT-INP  MERIT Internodal Protocol
access-list 210 deny 0X20 0xFFFF
!-- DCCP Datagram Congestion Control Protocol
access-list 210 deny 0X21 0xFFFF
!-- 3PC  Third Party Connect Protocol
access-list 210 deny 0X22 0xFFFF
!-- IDPR Inter-Domain Policy Routing Protocol
access-list 210 deny 0X23 0xFFFF
!-- XTP  XTP
access-list 210 deny 0X24 0xFFFF
!-- DDP  Datagram Delivery Protocol
access-list 210 deny 0X25 0xFFFF
!-- IDPR-CMTP  IDPR Control Message Transport Proto
access-list 210 deny 0X26 0xFFFF
!-- TP++ TP++ Transport Protocol
access-list 210 deny 0X27 0xFFFF
!-- IL IL Transport Protocol
access-list 210 deny 0X28 0xFFFF
!-- IPv6 IPv6 encapsulation
access-list 210 deny 0X29 0xFFFF
!-- SDRP Source Demand Routing Protocol
access-list 210 deny 0X2A 0xFFFF
!-- IPv6-Route Routing Header for IPv6
access-list 210 deny 0X2B 0xFFFF
!-- IPv6-Frag  Fragment Header for IPv6
access-list 210 deny 0X2C 0xFFFF
!-- IDRP Inter-Domain Routing Protocol
access-list 210 deny 0X2D 0xFFFF
!-- RSVP Reservation Protocol
access-list 210 deny 0X2E 0xFFFF
!-- GRE  General Routing Encapsulation
access-list 210 deny 0X2F 0xFFFF
!-- DSR  Dynamic Source Routing Protocol
access-list 210 deny 0X30 0xFFFF
!-- BNA  BNA
access-list 210 deny 0X31 0xFFFF
!-- ESP  Encap Security Payload
access-list 210 deny 0X32 0xFFFF
!-- AH Authentication Header
access-list 210 deny 0X33 0xFFFF
!-- I-NLSP Integrated Net Layer Security TUBA
access-list 210 deny 0X34 0xFFFF
!-- SWIPE  IP with Encryption
access-list 210 deny 0X35 0xFFFF
!-- NARP NBMA Address Resolution Protocol
access-list 210 deny 0X36 0xFFFF
!-- MOBILE IP Mobility
access-list 210 deny 0X37 0xFFFF
!-- TLSP Transport Layer Security Protocol
access-list 210 deny 0X38 0xFFFF
!-- SKIP SKIP
access-list 210 deny 0X39 0xFFFF
!-- IPv6-ICMP  ICMP for IPv6
access-list 210 deny 0X3A 0xFFFF
!-- IPv6-NoNxt No Next Header for IPv6
access-list 210 deny 0X3B 0xFFFF
!-- IPv6-Opts  Destination Options for IPv6
access-list 210 deny 0X3C 0xFFFF
!-- any host internal protocol [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X3D 0xFFFF
!-- CFTP CFTP
access-list 210 deny 0X3E 0xFFFF
!-- any local network  [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X3F 0xFFFF
!-- SAT-EXPAK  SATNET and Backroom EXPAK
access-list 210 deny 0X40 0xFFFF
!-- KRYPTOLAN  Kryptolan
access-list 210 deny 0X41 0xFFFF
!-- RVD  MIT Remote Virtual Disk Protocol
access-list 210 deny 0X42 0xFFFF
!-- IPPC Internet Pluribus Packet Core
access-list 210 deny 0X43 0xFFFF
!-- any distributed file system  [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X44 0xFFFF
!-- SAT-MON  SATNET Monitoring
access-list 210 deny 0X45 0xFFFF
!-- VISA VISA Protocol
access-list 210 deny 0X46 0xFFFF
!-- IPCV Internet Packet Core Utility
access-list 210 deny 0X47 0xFFFF
!-- CPNX Computer Protocol Network Executive
access-list 210 deny 0X48 0xFFFF
!-- CPHB Computer Protocol Heart Beat
access-list 210 deny 0X49 0xFFFF
!-- WSN  Wang Span Network
access-list 210 deny 0X4A 0xFFFF
!-- PVP  Packet Video Protocol
access-list 210 deny 0X4B 0xFFFF
!-- BR-SAT-MON Backroom SATNET Monitoring
access-list 210 deny 0X4C 0xFFFF
!-- SUN-ND SUN ND PROTOCOL-Temporary
access-list 210 deny 0X4D 0xFFFF
!-- WB-MON WIDEBAND Monitoring
access-list 210 deny 0X4E 0xFFFF
!-- WB-EXPAK WIDEBAND EXPAK
access-list 210 deny 0X4F 0xFFFF
!-- ISO-IP ISO Internet Protocol
access-list 210 deny 0X50 0xFFFF
!-- VMTP VMTP
access-list 210 deny 0X51 0xFFFF
!-- SECURE-VMTP  SECURE-VMTP
access-list 210 deny 0X52 0xFFFF
!-- VINES  VINES
access-list 210 deny 0X53 0xFFFF
!-- TTP  TTP
access-list 210 deny 0X54 0xFFFF
!-- IPTM Protocol Internet Protocol Traffic
access-list 210 deny 0X55 0xFFFF
!-- NSFNET-IGP NSFNET-IGP
access-list 210 deny 0X56 0xFFFF
!-- DGP  Dissimilar Gateway Protocol
access-list 210 deny 0X57 0xFFFF
!-- TCF  TCF
access-list 210 deny 0X58 0xFFFF
!-- EIGRP  EIGRP
access-list 210 deny 0X59 0xFFFF
!-- OSPFIGP  OSPFIGP
access-list 210 deny 0X5A 0xFFFF
!-- Sprite-RPC Sprite RPC Protocol
access-list 210 deny 0X5B 0xFFFF
!-- LARP Locus Address Resolution Protocol
access-list 210 deny 0X5C 0xFFFF
!-- MTP  Multicast Transport Protocol
access-list 210 deny 0X5D 0xFFFF
!-- AX.25  AX.25 Frames
access-list 210 deny 0X5E 0xFFFF
!-- IPIP IP-within-IP Encapsulation Protocol
access-list 210 deny 0X5F 0xFFFF
!-- MICP Mobile Internetworking Control Pro.
access-list 210 deny 0X60 0xFFFF
!-- SCC-SP Semaphore Communications Sec. Pro.
access-list 210 deny 0X61 0xFFFF
!-- ETHERIP  Ethernet-within-IP Encapsulation
access-list 210 deny 0X62 0xFFFF
!-- ENCAP  Encapsulation Header
access-list 210 deny 0X63 0xFFFF
!-- any private encryption scheme  [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X64 0xFFFF
!--  GMTP GMTP
access-list 210 deny 0X65 0xFFFF
!--  IFMP Ipsilon Flow Management Protocol
access-list 210 deny 0X66 0xFFFF
!--  PNNI PNNI over IP
access-list 210 deny 0X67 0xFFFF
!--  PIM  Protocol Independent Multicast
access-list 210 deny 0X68 0xFFFF
!--  ARIS ARIS
access-list 210 deny 0X69 0xFFFF
!--  SCPS SCPS
access-list 210 deny 0X6A 0xFFFF
!--  QNX  QNX
access-list 210 deny 0X6B 0xFFFF
!--  A/N  Active Networks
access-list 210 deny 0X6C 0xFFFF
!--  IPComp IP Payload Compression Protocol
access-list 210 deny 0X6D 0xFFFF
!--  SNP  Sitara Networks Protocol
access-list 210 deny 0X6E 0xFFFF
!--  Compaq-Peer  Compaq Peer Protocol
access-list 210 deny 0X6F 0xFFFF
!--  IPX-in-IP  IPX in IP
access-list 210 deny 0X70 0xFFFF
!--  VRRP Virtual Router Redundancy Protocol
access-list 210 deny 0X71 0xFFFF
!--  PGM  PGM Reliable Transport Protocol
access-list 210 deny 0X72 0xFFFF
!--  any 0-hop protocol [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X73 0xFFFF
!--  L2TP Layer Two Tunneling Protocol
access-list 210 deny 0X74 0xFFFF
!--  DDX  D-II Data Exchange (DDX)
access-list 210 deny 0X75 0xFFFF
!--  IATP Interactive Agent Transfer Protocol
access-list 210 deny 0X76 0xFFFF
!--  STP  Schedule Transfer Protocol
access-list 210 deny 0X77 0xFFFF
!--  SRP  SpectraLink Radio Protocol
access-list 210 deny 0X78 0xFFFF
!--  UTI  UTI
access-list 210 deny 0X79 0xFFFF
!--  SMP  Simple Message Protocol
access-list 210 deny 0X7A 0xFFFF
!--  SM SM
access-list 210 deny 0X7B 0xFFFF
!--  PTP  Performance Transparency Protocol
access-list 210 deny 0X7C 0xFFFF
!--  ISIS over IPv4 [Tony_Przygienda]
access-list 210 deny 0X7D 0xFFFF
!--  FIRE [Criag_Partridge]
access-list 210 deny 0X7E 0xFFFF
!--  CRTP Combat Radio Transport Protocol
access-list 210 deny 0X7F 0xFFFF
!--  CRUDP  Combat Radio User Datagram
access-list 210 deny 0X80 0xFFFF
!--  SSCOPMCE [Kurt_Waber]
access-list 210 deny 0X81 0xFFFF
!--  IPLT [[Hollbach]]
access-list 210 deny 0X82 0xFFFF
!--  SPS  Secure Packet Shield
access-list 210 deny 0X83 0xFFFF
!--  PIPE Private IP Encapsulation within IP
access-list 210 deny 0X84 0xFFFF
!--  SCTP Stream Control Transmission Protocol
access-list 210 deny 0X85 0xFFFF
!--  FC Fibre Channel
access-list 210 deny 0X86 0xFFFF
!--  RSVP-E2E-IGNORE  [RFC3175]
access-list 210 deny 0X87 0xFFFF
!--  Mobility Header  [RFC6275]
access-list 210 deny 0X88 0xFFFF
!--  UDPLite  [RFC3828]
access-list 210 deny 0X89 0xFFFF
!--  MPLS-in-IP [RFC4023]
access-list 210 deny 0X8A 0xFFFF
!--  manet  MANET Protocols
access-list 210 deny 0X8B 0xFFFF
!--  HIP  Host Identity Protocol
access-list 210 deny 0X8C 0xFFFF
!--  Shim6  Shim6 Protocol
access-list 210 deny 0X8D 0xFFFF
!--  WESP Wrapped Encapsulating Security
access-list 210 deny 0X8E 0xFFFF
!--  ROHC Robust Header Compression
access-list 210 deny 0X8F 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X90 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X91 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X92 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X93 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X94 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X95 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X96 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X97 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X98 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X99 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X9A 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X9B 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X9C 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X9D 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X9E 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X9F 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA0 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA1 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA2 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA3 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA4 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA5 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA6 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA7 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA8 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XA9 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XAA 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XAB 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XAC 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XAD 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XAE 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XAF 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB0 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB1 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB2 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB3 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB4 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB5 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB6 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB7 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB8 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XB9 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XBA 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XBB 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XBC 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XBD 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XBE 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XBF 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC0 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC1 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC2 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC3 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC4 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC5 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC6 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC7 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC8 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XC9 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XCA 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XCB 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XCC 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XCD 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XCE 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XCF 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD0 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD1 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD2 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD3 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD4 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD5 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD6 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD7 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD8 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XD9 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XDA 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XDB 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XDC 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XDD 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XDE 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XDF 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE0 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE1 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE2 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE3 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE4 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE5 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE6 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE7 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE8 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XE9 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XEA 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XEB 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XEC 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XED 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XEE 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XEF 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF0 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF1 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF2 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF3 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF4 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF5 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF6 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF7 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF8 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XF9 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XFA 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XFB 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XFC 0xFFFF
!--  Unassigned [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0XFD 0xFFFF
!--  Use for experimentation and testing  [RFC3692]
access-list 210 deny 0XFE 0xFFFF
!--  Use for experimentation and testing  [RFC3692]
access-list 210 deny 0XFF 0xFFFF
!--  Reserved [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X100 0xFFFF
!--  Reserved [Internet_Assigned_Numbers_Authority]
access-list 210 deny 0X100 0xFF00
access-list 210 deny 0X200 0xFF00
access-list 210 deny 0X300 0xFF00
access-list 210 deny 0X400 0xFF00
access-list 210 deny 0X500 0xFF00
access-list 210 deny 0X600 0xFF00
access-list 210 deny 0X700 0xFF00
access-list 210 deny 0X800 0xFF00
access-list 210 deny 0X900 0xFF00
access-list 210 deny 0XA00 0xFF00
access-list 210 deny 0XB00 0xFF00
access-list 210 deny 0XC00 0xFF00
access-list 210 deny 0XD00 0xFF00
access-list 210 deny 0XE00 0xFF00
access-list 210 deny 0XF00 0xFF00
access-list 210 deny 0X1000 0x0

 

access-list 130 deny tcp any any range 0 19
access-list 130 deny tcp any any range 22 24
access-list 130 deny tcp any any range 26 36
access-list 130 deny tcp any any range 38 52
access-list 130 deny tcp any any range 54 66
access-list 130 deny tcp any any range 69 79
access-list 130 deny tcp any any range 81 108
access-list 130 deny tcp any any range 111 122
access-list 130 deny tcp any any range 124 142
access-list 130 deny tcp any any range 144 442
access-list 130 deny tcp any any range 444 464
access-list 130 deny tcp any any range 466 988
access-list 130 deny tcp any any range 991 992
access-list 130 deny tcp any any eq 994
access-list 130 deny tcp any any range 996 2081
access-list 130 deny tcp any any range 2087 49151
access-list 130 deny tcp any any eq 65000

access-list 130 deny tcp object-group restricted_ip any
access-list 130 deny tcp any object-group restricted_ip

 

 

access-list 130 deny udp any any range 0 21
access-list 130 deny udp any any range 22 24
access-list 130 deny udp any any range 26 36
access-list 130 deny udp any any range 38 52
access-list 130 deny udp any any range 54 66
access-list 130 deny udp any any range 69 79
access-list 130 deny udp any any range 81 109
access-list 130 deny udp any any range 111 122
access-list 130 deny udp any any range 124 142
access-list 130 deny udp any any range 144 464
access-list 130 deny udp any any range 466 988
access-list 130 deny udp any any range 991 33432
access-list 130 deny udp any any range 33535 49151
access-list 130 deny udp any any eq 65000

access-list 130 deny udp object-group restricted_ip any
access-list 130 deny udp any object-group restricted_ip

 

class-map type inspect match-any not_allowed_class
 match access-group 210
 match access-group 130

 !-- IEEE 802.11 WLANs WG IAPP
 match protocol 802-11-iapp
 !-- ACE Server/Propagation
 match protocol ace-svr
 !-- America-Online Instant Messenger
 match protocol aol
 !-- Apple QuickTime
 match protocol appleqtc
 !-- Bliff mail notification
 match protocol biff
 !-- bittorrent
 match protocol bittorrent
 
 
 !-- Bootstrap Protocol Client
 !-- match protocol bootpc
 !-- Bootstrap Protocol Server
 !-- match protocol bootps
 
 
 !-- CD Database Protocol
 match protocol cddbp
 !-- CIFS
 match protocol cifs
 
 
 !--  Cisco FNATIVE
 match protocol cisco-fna
 !-- cisco-net-mgmt
 match protocol cisco-net-mgmt
 !-- cisco license/perf/GDP/X.25/ident svcs
 match protocol cisco-svcs
 !--  Cisco SYSMAINT
 match protocol cisco-sys
 
 
 !--  Cisco TDP
 match protocol cisco-tdp
 !--  Cisco TNATIVE
 match protocol cisco-tna
 !-- Citrix IMA/ADMIN/RTMP
 match protocol citrix
 !-- Citrix IMA Client
 match protocol citriximaclient
 !-- Cisco Line Protocol
 match protocol clp
 
 !-- Creative Partnr
 match protocol creativepartnr
 
 !-- Creative Server
 match protocol creativeserver
 !-- CUSeeMe Protocol
 match protocol cuseeme
 !-- Daytime (RFC 867)
 match protocol daytime
 !-- dBASE Unix
 match protocol dbase
 !-- Oracle dbControl Agent po
 match protocol dbcontrol_agent
 !-- Dynamic DNS Version 3
 match protocol ddns-v3
 !-- DHCP Failover
 match protocol dhcp-failover
 !-- Direct Connect Version 2.0
 match protocol directconnect
 !-- Discard port
 match protocol discard
 
 
 !-- Domain Name Server
 !-- match protocol dns
 
 
 !-- DNSIX Securit Attribute Token Map
 match protocol dnsix
 
 
 !-- Echo port
 !-- match protocol echo
 
 
 !-- eDonkey
 match protocol edonkey
 !-- Entrust KM/Admin Service Handler
 match protocol entrust-svc-hdlr
 !-- Entrust sps/aaas/aams
 match protocol entrust-svcs
 !-- Remote Process Execution
 match protocol exec
 !--  FastTrack Traffic - KaZaA, Morpheus, Grokster...
 match protocol fasttrack
 !--  FCIP
 match protocol fcip-port
 !-- Finger
 match protocol finger
 
 
 !-- File Transfer Protocol
 !-- match protocol ftp
 
 
 !-- FTP over TLS/SSL
 !-- match protocol ftps
 
 
 !-- GDOI
 match protocol gdoi
 !-- Oracle GIOP/SSL
 match protocol giop
 !-- Gnutella Version2 Traffic - BearShare, Shareeza, Morpheus
 match protocol gnutella
 
 
 !-- Gopher
 match protocol gopher
 !-- GPRS Tunneling Protocol Version 0
 match protocol gtpv0
 !-- GPRS Tunneling Protocol Version 1
 match protocol gtpv1
 !-- H225 RAS over Unicast
 match protocol h225ras
 !-- H.323 Protocol (e.g, MS NetMeeting, Inte
 match protocol h323
 !-- H.323 Protocol AnnexE (e.g, MS NetMeetin
 match protocol h323-annexe
 !-- H.323 Protocol AnnexG
 match protocol h323-nxg
 !-- HP Performance data alarm manager
 match protocol hp-alarm-mgr
 !-- HP Performance data collector
 match protocol hp-collector
 !-- HP Performance data managed node
 match protocol hp-managed-node
 !-- Hot Standby Router Protocol
 match protocol hsrp
 
 
 !-- Hypertext Transfer Protocol
 !-- match protocol http
 !-- Secure Hypertext Transfer Protocol
 !-- match protocol https
 
 
 !-- ica (Citrix)
 match protocol ica
 !-- icabrowser (Citrix)
 match protocol icabrowser
 
 
 !-- ICMP
 !-- match protocol icmp
 
 
 !-- ICQ
 match protocol icq
 !-- Authentication Service
 match protocol ident
 !-- IGMP over UDP for SSM
 match protocol igmpv3lite
 
 
 !-- Internet Message Access Protocol
 !-- match protocol imap
 !-- Interactive Mail Access Protocol 3
 !-- match protocol imap3
 !-- IMAP over TLS/SSL
 !-- match protocol imaps
 
 
 !-- IPASS
 match protocol ipass
 !-- Microsoft IPsec NAT-T
 match protocol ipsec-msft
 !-- IPX
 match protocol ipx
 !-- Internet Relay Chat Protocol
 match protocol irc
 !-- IRC-SERV
 match protocol irc-serv
 !-- IRC over TLS/SSL
 match protocol ircs
 !-- IRCU
 match protocol ircu
 !-- ISAKMP
 match protocol isakmp
 !-- iSCSI
 match protocol iscsi
 !-- iSCSI port
 match protocol iscsi-target
 !-- Kazaa Version 2
 match protocol kazaa2
 !-- Kerberos
 match protocol kerberos
 !-- kermit
 match protocol kermit
 !-- L2TP/L2F
 match protocol l2tp
 !-- Lightweight Directory Access Protocol
 match protocol ldap
 !-- LDAP admin server port
 match protocol ldap-admin
 !-- LDAP over TLS/SSL
 match protocol ldaps
 !-- Remote login
 match protocol login
 !--  Lotus Mail Tracking Agent Protocol
 match protocol lotusmtap
 !--  Lotus Note
 match protocol lotusnote
 !-- Media Gateway Control Protocol
 match protocol mgcp
 !-- Microsoft-DS
 match protocol microsoft-ds
 !-- MS Cluster Net
 match protocol ms-cluster-net
 !-- Microsoft .NETster Port
 match protocol ms-dotnetster
 !-- Microsoft SNA Server/Base
 match protocol ms-sna
 !-- Microsoft SQL
 match protocol ms-sql
 !-- Microsoft SQL Monitor
 match protocol ms-sql-m
 !-- Microsoft Exchange Routing
 match protocol msexch-routing
 !-- MSN Instant Messenger
 match protocol msnmsgr
 !-- Microsoft Remote Procedure Call
 match protocol msrpc
 !-- MySQL
 match protocol mysql
 !-- N2H2 Filter Service Port
 match protocol n2h2server
 !-- NCP (Novell)
 match protocol ncp
 !--  Oracle Net8 Cman/Admin
 match protocol net8-cman
 !-- NETBIOS Datagram Service
 match protocol netbios-dgm
 !-- NETBIOS Name Service
 match protocol netbios-ns
 !-- NETBIOS Session Service
 match protocol netbios-ssn
 !-- Variant of systat
 match protocol netstat
 !-- Network File System
 match protocol nfs
 !-- Network News Transport Protocol
 match protocol nntp
 
 
 !-- Network Time Protocol
 !-- match protocol ntp
 
 
 !--  OEM Agent (Oracle)
 match protocol oem-agent
 !-- Oracle
 match protocol oracle
 !-- Oracle EM/VP
 match protocol oracle-em-vp
 !-- Oracle Names
 match protocol oraclenames
 !-- Oracle SQL*Net v1/v2
 match protocol orasrv
 !-- pcANYWHEREdata
 match protocol pcanywheredata
 !-- pcANYWHEREstat
 match protocol pcanywherestat
 
 
 !-- Post Office Protocol - Version 3
 !-- match protocol pop3
 !-- POP3 over TLS/SSL
 !-- match protocol pop3s
 
 
 !-- PPTP
 match protocol pptp
 !-- Password
 match protocol pwdgen
 
 
 !-- Quick Mail Transfer Protocol
 match protocol qmtp
 !--  remote-winsock
 match protocol r-winsock
 !-- RADIUS & Accounting
 match protocol radius
 !-- Oracle RDB
 match protocol rdb-dbs-disp
 !--  RealNetwork's Realmedia Protocol
 match protocol realmedia
 !-- ISS Real Secure Console Service Port
 match protocol realsecure
 !-- Local Routing Process
 match protocol router
 !-- RSVD
 match protocol rsvd
 !-- RSVP ENCAPSULATION-1/2
 match protocol rsvp-encap
 !-- RSVP Tunnel
 match protocol rsvp_tunnel
 !-- Oracle RTC-PM port
 match protocol rtc-pm-port
 !-- Remote Telnet Service
 match protocol rtelnet
 !-- Real Time Streaming Protocol
 match protocol rtsp
 !-- SEND
 match protocol send
 !-- Remote command
 match protocol shell
 !-- Session initiation protocol
 match protocol sip
 !-- SIP-TLS
 match protocol sip-tls
 !-- Skinny Client Control Protocol
 match protocol skinny
 !-- SMS RCINFO/XFER/CHAT
 match protocol sms
 !-- Simple Mail Transfer Protocol
 match protocol smtp
 !-- Simple Network Management Protocol
 match protocol snmp
 !-- SNMP Trap
 match protocol snmptrap
 !-- Socks
 match protocol socks
 !-- SQL-NET
 match protocol sql-net
 !-- SQL Services
 match protocol sqlserv
 !-- SQL Service
 match protocol sqlsrv
 !-- SSH Remote Login Protocol
 match protocol ssh
 !-- SSLshell
 match protocol sshell
 !-- State Sync Protocol
 match protocol ssp
 !-- StreamWorks Protocol
 match protocol streamworks
 !-- cisco STUN
 match protocol stun

 !-- STUN-ICE
 !-- match protocol stun-ice

 !-- SUN Remote Procedure Call
 match protocol sunrpc
 !-- SysLog Service
 match protocol syslog
 !-- Reliable Syslog Service
 match protocol syslog-conn
 !-- Login Host Protocol (TACACS)
 match protocol tacacs
 !--  TACACS-Database Service
 match protocol tacacs-ds
 !-- Tarantella
 match protocol tarantella
 
 
 !-- TCP
 !-- match protocol tcp
 
 
 !-- Telnet
 !-- match protocol telnet
 
 
 !-- Telnet over TLS/SSL
 match protocol telnets
 
 
 !-- Trivial File Transfer Protocol
 match protocol tftp
 
 
 !-- Time
 !-- match protocol time
 
 
 !-- Time server
 match protocol timed
 !-- cisco RSRB
 match protocol tr-rsrb
 !-- Oracle TTC/SSL
 match protocol ttc
 
 
 !-- UDP
 !-- match protocol udp
 
 
 !-- UUCPD/UUCP-RLOGIN
 match protocol uucp
 !-- VDOLive Protocol
 match protocol vdolive
 !-- VQP
 match protocol vqp
 !-- Network Disctionary
 match protocol webster
 !-- Who's service
 match protocol who
 !-- WINMSGR
 match protocol winmsgr
 !-- WinMx file-sharing application
 match protocol winmx
 !-- Microsoft WINS
 match protocol wins
 !-- X Window System
 match protocol x11
 !-- XDM Control Protocol
 match protocol xdmcp
 !-- Yahoo! Instant Messenger
 match protocol ymsgr

exit

policy-map type inspect inspect_not_allowed
 class type inspect not_allowed_class
 drop

 exit
exit

policy-manager policy enable

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define necessary TCP ports for OUTBOUND connections
!--    tcp_allowed_OUTBOUND object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group service tcp_allowed_OUTBOUND

object-group service tcp_allowed_OUTBOUND

 !-- FTP-data transfer Official
 tcp 20

 !-- FTP-control (command) Official
 tcp 21

 !-- Secure Shell (SSH)-used for secure logins, file transfers (scp, sftp) and port forwarding Official
 !-- tcp 22

 !-- Telnet Protocol - unencrypted text communications
 !-- tcp 23

 !-- Simple Mail Transfer Protocol (SMTP)-used for e-mail routing between mail servers Official
 tcp 25

 !-- TIME protocol Official
 tcp 37

 !-- Domain Name System (DNS) Official
 tcp 53

 !-- Hypertext Transfer Protocol (HTTP) Official
 tcp 80

 !-- Post Office Protocol v2 (POP2) Official
 tcp 109

 !-- Post Office Protocol v3 (POP3) Official
 tcp 110

 !-- Network Time Protocol
 tcp 123

 !-- NetBIOS Name Service
 !-- tcp 137

 !-- NetBIOS Datagram Service
 !-- tcp 138

 !-- NetBIOS Session Service
 !-- tcp 139

 !-- Internet Message Access Protocol (IMAP)-management of email messages Official
 tcp 143

 !-- Hypertext Transfer Protocol (HTTPS) over SSL/TLS
 tcp 443

 !-- SMTP over SSL   Cisco protocol[citation needed] Unofficial
 tcp 465

 !-- FTPS Protocol (data): FTP over TLS/SSL Official
 tcp 989

 !-- FTPS Protocol (control): FTP over TLS/SSL Official
 tcp 990

 !-- Internet Message Access Protocol over SSL (IMAPS) Official
 tcp 993

 !-- Post Office Protocol 3 over TLS/SSL (POP3S) Official
 tcp 995
 !-- Infowave Mobility Server Official
 tcp 2082

 !-- Secure Radius Service (radsec)  CPanel default SSL Official
 tcp 2083
 tcp 2084
 tcp 2085

 !-- GNUnet  WebHost Manager default Official
 tcp 2086

 !-- WebHost Manager default SSL Unofficial
 tcp 2087
 tcp 2088
 tcp 2089
 tcp 2090
 tcp 2091
 tcp 2092
 tcp 2093
 tcp 2094

 !-- CPanel default Web mail Unofficial
 tcp 2095

 !-- CPanel default SSL Web mail Unofficial
 tcp 2096

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define necessary UDP ports for OUTBOUND connections
!--    udp_allowed_OUTBOUND object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
no object-group service udp_allowed_OUTBOUND

!
object-group service udp_allowed_OUTBOUND

 !-- Secure Shell (SSH)-used for secure logins, file transfers (scp, sftp) and port forwarding Official
 !-- udp 22

 !-- TIME protocol Official
 udp 37

 !-- Domain Name System (DNS) Official
 udp 53

 !-- BOOTP Server DHCP
 !-- udp 67

 !-- BOOTP Client DHCP
 !-- udp 68

 !-- Hypertext Transfer Protocol (HTTP) Official
 udp 80

 !-- Post Office Protocol v2 (POP2) Official
 udp 109

 !-- NetBIOS Name Service
 !-- udp 137

 !-- NetBIOS Datagram Service
 !-- udp 138

 !-- NetBIOS Session Service
 !-- udp 139

 !-- Post Office Protocol v3 (POP3) Official
 udp 110

 !-- Network Time Protocol
 udp 123

 !-- Internet Message Access Protocol (IMAP)-management of email messages Official
 udp 143

 !-- FTPS Protocol (data): FTP over TLS/SSL Official
 udp 989

 !-- FTPS Protocol (control): FTP over TLS/SSL Official
 udp 990

 !-- Internet Message Access Protocol over SSL (IMAPS) Official
 udp 993

 !-- Post Office Protocol 3 over TLS/SSL (POP3S) Official
 udp 995

 !-- Infowave Mobility Server Official
 udp 2082

 !-- Secure Radius Service (radsec)  CPanel default SSL Official
 udp 2083
 udp 2084
 udp 2085

 !-- GNUnet  WebHost Manager default Official
 udp 2086

 !-- WebHost Manager default SSL Unofficial
 udp 2087
 udp 2088
 udp 2089
 udp 2090
 udp 2091
 udp 2092
 udp 2093
 udp 2094

 !-- CPanel default Web mail Unofficial
 udp 2095

 !-- CPanel default SSL Web mail Unofficial
 udp 2096

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define outbound connection allowed ICMP types
!--    icmp_allowed_OUTBOUND object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group service icmp_allowed_OUTBOUND

object-group service icmp_allowed_OUTBOUND

    !-- Echo (Exploit)
    icmp 8

    !-- Traceroute
    icmp 30

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define necessary TCP ports for INBOUND connections
!--    tcp_allowed_INBOUND object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group service tcp_allowed_INBOUND

object-group service tcp_allowed_INBOUND

 !-- FTP-data transfer Official
 !-- tcp 20

 !-- FTP-control (command) Official
 !-- tcp 21

 !-- Secure Shell (SSH)-used for secure logins, file transfers (scp, sftp) and port forwarding Official
 !-- tcp 22

 !-- Telnet Protocol - unencrypted text communications
 !-- tcp 23

 !-- Simple Mail Transfer Protocol (SMTP)-used for e-mail routing between mail servers Official
 !-- tcp 25

 !-- TIME protocol Official
 !-- tcp 37

 !-- Domain Name System (DNS) Official
 tcp 53

 !-- Hypertext Transfer Protocol (HTTP) Official
 tcp 80

 !-- Post Office Protocol v2 (POP2) Official
 !-- tcp 109

 !-- Post Office Protocol v3 (POP3) Official
 !-- tcp 110

 !-- Network Time Protocol
 !-- tcp 123

 !-- NetBIOS Name Service
 !-- tcp 137

 !-- NetBIOS Datagram Service
 !-- tcp 138

 !-- NetBIOS Session Service
 !-- tcp 139

 !-- Internet Message Access Protocol (IMAP)-management of email messages Official
 !-- tcp 143

 !-- Hypertext Transfer Protocol (HTTPS) over SSL/TLS
 !-- tcp 443

 !-- SMTP over SSL   Cisco protocol[citation needed] Unofficial
 tcp 465

 !-- FTPS Protocol (data): FTP over TLS/SSL Official
 !-- tcp 989

 !-- FTPS Protocol (control): FTP over TLS/SSL Official
 !-- tcp 990

 !-- Internet Message Access Protocol over SSL (IMAPS) Official
 !-- tcp 993

 !-- Post Office Protocol 3 over TLS/SSL (POP3S) Official
 !-- tcp 995
 !-- Infowave Mobility Server Official
 !-- tcp 2082

 !-- Secure Radius Service (radsec)  CPanel default SSL Official
 !-- tcp 2083
 !-- tcp 2084
 !-- tcp 2085

 !-- GNUnet  WebHost Manager default Official
 !-- tcp 2086

 !-- WebHost Manager default SSL Unofficial
 !-- tcp 2087
 !-- tcp 2088
 !-- tcp 2089
 !-- tcp 2090
 !-- tcp 2091
 !-- tcp 2092
 !-- tcp 2093
 !-- tcp 2094

 !-- CPanel default Web mail Unofficial
 !-- tcp 2095

 !-- CPanel default SSL Web mail Unofficial
 !-- tcp 2096

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define necessary UDP ports for INBOUND connections
!--    udp_allowed_INBOUND object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
no object-group service udp_allowed_INBOUND

!
object-group service udp_allowed_INBOUND

 !-- Secure Shell (SSH)-used for secure logins, file transfers (scp, sftp) and port forwarding Official
 !-- udp 22

 !-- TIME protocol Official
 !-- udp 37

 !-- Domain Name System (DNS) Official
 udp 53

 !-- BOOTP Server DHCP
 !-- udp 67

 !-- BOOTP Client DHCP
 !-- udp 68

 !-- Hypertext Transfer Protocol (HTTP) Official
 !-- udp 80

 !-- Post Office Protocol v2 (POP2) Official
 !-- udp 109

 !-- Post Office Protocol v3 (POP3) Official
 !-- udp 110

 !-- Network Time Protocol
 !-- udp 123

 !-- NetBIOS Name Service
 !-- udp 137

 !-- NetBIOS Datagram Service
 !-- udp 138

 !-- NetBIOS Session Service
 !-- udp 139

 !-- Internet Message Access Protocol (IMAP)-management of email messages Official
 !-- udp 143

 !-- FTPS Protocol (data): FTP over TLS/SSL Official
 !-- udp 989

 !-- FTPS Protocol (control): FTP over TLS/SSL Official
 !-- udp 990

 !-- Internet Message Access Protocol over SSL (IMAPS) Official
 !-- udp 993

 !-- Post Office Protocol 3 over TLS/SSL (POP3S) Official
 !-- udp 995

 !-- Infowave Mobility Server Official
 !-- udp 2082

 !-- Secure Radius Service (radsec)  CPanel default SSL Official
 !-- udp 2083
 !-- udp 2084
 !-- udp 2085

 !-- GNUnet  WebHost Manager default Official
 !-- udp 2086

 !-- WebHost Manager default SSL Unofficial
 !-- udp 2087
 !-- udp 2088
 !-- udp 2089
 !-- udp 2090
 !-- udp 2091
 !-- udp 2092
 !-- udp 2093
 !-- udp 2094

 !-- CPanel default Web mail Unofficial
 !-- udp 2095

 !-- CPanel default SSL Web mail Unofficial
 !-- udp 2096

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!--  Define INBOUND connection allowed ICMP types
!--    icmp_allowed_INBOUND object-group
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete the object-group and start over
!
!
no object-group service icmp_allowed_INBOUND

object-group service icmp_allowed_INBOUND

    !-- Echo Reply
    icmp 0

    !-- Destination unreachable
    icmp 3

    !-- Source Quench
    icmp 4

    !-- Redirect
    icmp 5

    !-- Echo Request
    !-- icmp 8

    !-- Router Advertisement
    icmp 9

    !-- Router Solicitation
    !-- icmp 10

    !-- Time Exceeded for a Datagram
    icmp 11

    !-- Parameter Problem on a Datagram
    icmp 12

    !-- Timestamp Request
    !-- icmp 13

    !-- Timestamp Reply
    icmp 14

    !-- Address Mask Request
    !-- icmp 17

    !-- Address Mask Reply
    !-- icmp 18

    !-- Trace Route
    icmp 30

exit

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!-- Permit necessary and protocols and IP's
!-- on OUTBOUND past the WAN port originated connections.
!-- access-list 110 definition
!--
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete existing access-list and start over
!
no access-list 110

 

!-- ****************************************************************
!-- ****************************************************************
!--
!-- ICMP Internet Control Message types
!-- Only allowed ICMP type to and from only allowed IPs
!--
!-- It is better to deny by IP so as to cover all protocols
!-- See last section
!--
!-- ...And approve by IP protocol port and type which is specific
!-- See last sections
!--
!-- Enabling only specific types and ports is very specific
!--
!-- ****************************************************************
!-- ****************************************************************

!-- access-list 110 permit object-group icmp_allowed_OUTBOUND any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny object-group icmp_allowed_OUTBOUND any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-- access-list 110 permit object-group icmp_allowed_OUTBOUND object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny object-group icmp_allowed_OUTBOUND object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny object-group icmp_allowed_OUTBOUND object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

!-- ****************************************************************
!-- ****************************************************************
!
!-- TCP  Transmission Control Protocol ports
!-- Only allowed TCP ports to and from only allowed IPs
!
!-- ****************************************************************
!-- ****************************************************************

access-list 110 permit object-group tcp_allowed_OUTBOUND any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny object-group tcp_allowed_OUTBOUND any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- access-list 110 permit object-group tcp_allowed_INBOUND object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny object-group tcp_allowed_INBOUND object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny object-group tcp_allowed_OUTBOUND object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- Slackware and Konqueror

access-list 110 permit tcp any object-group allowed_out_ip range 33435 64999
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny tcp any object-group restricted_ip range 33435 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit tcp object-group allowed_in_ip any range 33435 64999 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny tcp object-group in_restricted_ip any range 33435 64999 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny tcp object-group restricted_ip any range 33435 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

access-list 110 permit tcp any object-group allowed_out_ip range 65001 65535
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny tcp any object-group restricted_ip range 65001 65535 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit tcp object-group allowed_in_ip any range 65001 65535 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny tcp object-group in_restricted_ip any range 65001 65535 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny tcp object-group restricted_ip any range 65001 65535 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

!-- permit ephemeral ports excluding port used for attacks

access-list 110 permit tcp any object-group allowed_out_ip range 49152 64999
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny tcp any object-group restricted_ip range 49152 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit tcp object-group allowed_in_ip any range 49152 64999 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny tcp object-group in_restricted_ip any range 49152 64999 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny tcp object-group restricted_ip any range 49152 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-- ****************************************************************
!-- ****************************************************************
!
!-- UDP  User Datagram Protocol ports
!-- Only allowed UDP ports to and from only allowed IPs
!
!-- ****************************************************************
!-- ****************************************************************

!-- BOOTP Server Client DHCP
!-- access-list 110 permit udp host 255.255.255.255 any range 67 68

access-list 110 permit object-group udp_allowed_OUTBOUND any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!
!-- Also accomodate Road Runner UDP port blocking which affects NAT DNS
!-- access-list 110 permit udp object-group any allowed_out_ip range 1024 1193
!-- access-list 110 permit udp object-group any allowed_out_ip range 1195 1998
!-- access-list 110 permit udp object-group any allowed_out_ip range 2000 4499
!-- access-list 110 permit udp object-group any allowed_out_ip range 4501 4999

 

!-- access-list 110 deny object-group udp_allowed_OUTBOUND any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- access-list 110 permit object-group udp_allowed_INBOUND object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny object-group udp_allowed_OUTBOUND object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny object-group udp_allowed_OUTBOUND object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-- trace route

access-list 110 permit udp any object-group allowed_out_ip range 33435 33534
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny udp any object-group restricted_ip range 33435 33534 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit udp object-group allowed_in_ip any range 33435 33534 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny udp object-group in_restricted_ip any range 33435 33534 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny udp object-group restricted_ip any range 33435 33534 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- ephemeral ports excluding port used for attacks

access-list 110 permit udp any object-group allowed_out_ip range 49152 64999
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny udp any object-group restricted_ip range 49152 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit udp object-group allowed_in_ip any range 49152 64999 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny udp object-group in_restricted_ip any range 49152 64999 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny udp object-group restricted_ip any range 49152 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

access-list 110 permit udp any object-group allowed_out_ip range 65001 65535
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny udp any object-group restricted_ip range 65001 65535 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit udp object-group allowed_in_ip any range 65001 65535 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny udp object-group in_restricted_ip any range 65001 65535 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny udp object-group restricted_ip any range 65001 65535 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

!-- ****************************************************************
!-- ****************************************************************
!
!-- IP Protocols allowed and restricted
!
!-- If a protocol is enabled the implication is every port.
!--
!-- ****************************************************************
!-- ****************************************************************

!-- ICMP
access-list 110 permit 1 any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny 1 any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit 1 object-group allowed_in_ip any
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny 1 object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny 1 object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-- TCP
!-- access-list 110 permit 6 any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny 6 any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit 6 object-group allowed_out_ip any log
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny 6 object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny 6 object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- UDP
!-- access-list 110 permit 17 any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny 17 any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 110 permit 17 object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 110 deny 17 object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 110 deny 17 object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

!-- ****************************************************************
!-- ****************************************************************
!
!-- IPs
!-- Restrict IPs in and out
!
!-- If IPs are enabled all protocols to these IP is the implication.
!
!-- So it is better to dny by IP so as to cover all protocols
!-- See first main section
!
!-- and approve by IP and protocol port and type which is specific
!-- See last sections
!--
!-- ****************************************************************
!-- ****************************************************************

!-- IPs normally allowed out
!-- access-list 110 permit ip any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- IPs not normally allowed out
access-list 110 deny ip any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- IPs normally allowed in
!-- access-list 110 permit ip object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- IPs not normally allowed in
access-list 110 deny ip object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

access-list 110 deny ip object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-------------------------------------------------------------------
!-------------------------------------------------------------------

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!-- Permit necessary and protocols and IP's
!-- on INBOUND from the WAN side originated connections.
!-- access-list 120 definition
!--
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
!-- Delete existing access-list and start over
!
no access-list 120

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!-- Permit necessary and protocols and IP's
!-- on INBOUND from the WAN side originated connections.
!-- access-list 120 definition
!--
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!--
!-- ICMP Internet Control Message types
!-- Only allowed ICMP type to and from only allowed IPs
!--
!-- It is better to deny by IP so as to cover all protocols
!-- See last section
!--
!-- ...And approve by IP protocol port and type which is specific
!-- See last sections
!--
!-- Enabling only specific types and ports is very specific
!--
!-- ****************************************************************
!-- ****************************************************************

access-list 120 permit object-group icmp_allowed_INBOUND object-group allowed_out_ip any
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny object-group icmp_allowed_INBOUND object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

access-list 120 permit object-group icmp_allowed_INBOUND object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny object-group icmp_allowed_INBOUND object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny object-group icmp_allowed_INBOUND object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

!-- ****************************************************************
!-- ****************************************************************
!
!-- TCP  Transmission Control Protocol ports
!-- Only allowed TCP ports to and from only allowed IPs
!
!-- ****************************************************************
!-- ****************************************************************

access-list 120 permit object-group tcp_allowed_INBOUND object-group allowed_out_ip any
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

access-list 120 deny object-group tcp_allowed_INBOUND object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

access-list 120 permit object-group tcp_allowed_INBOUND object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny object-group tcp_allowed_INBOUND object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny object-group tcp_allowed_INBOUND any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- Slackware and Konqueror

access-list 120 permit tcp object-group allowed_out_ip any range 33435 64999
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

access-list 120 deny tcp object-group restricted_ip any range 33435 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-- access-list 120 permit tcp object-group allowed_in_ip any range 33435 64999 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny tcp object-group in_restricted_ip any range 33435 64999 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny tcp any object-group restricted_ip range 33435 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-------------------------------------------------------------------
!-------------------------------------------------------------------

!-- access-list 120 permit tcp object-group allowed_out_ip any range 65001 65535
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

access-list 120 deny tcp object-group restricted_ip any range 65001 65535 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 120 permit tcp object-group allowed_in_ip any range 65001 65535 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny tcp object-group in_restricted_ip any range 65001 65535 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny tcp any object-group restricted_ip range 65001 65535 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- ****************************************************************
!-- ****************************************************************
!
!-- UDP  User Datagram Protocol ports
!-- Only allowed UDP ports to and from only allowed IPs
!
!-- ****************************************************************
!-- ****************************************************************

!-- BOOTP Server Client DHCP
access-list 120 permit udp object-group unrouteable_ip any range 67 68

access-list 120 permit object-group udp_allowed_INBOUND object-group allowed_out_ip any
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!
!-- Also accomodate Road Runner UDP port blocking which affects NAT DNS
access-list 120 permit udp object-group allowed_out_ip any range 1024 1193
access-list 120 permit udp object-group allowed_out_ip any range 1195 1998
access-list 120 permit udp object-group allowed_out_ip any range 2000 4499
access-list 120 permit udp object-group allowed_out_ip any range 4501 4999

access-list 120 deny object-group udp_allowed_INBOUND object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

access-list 120 permit object-group udp_allowed_INBOUND object-group allowed_in_ip any
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny object-group udp_allowed_INBOUND object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny object-group udp_allowed_INBOUND any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-- trace route

access-list 120 permit udp object-group allowed_out_ip any range 33435 33534
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny udp object-group restricted_ip any range 33435 33534 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

access-list 120 permit udp object-group allowed_in_ip any range 33435 33534
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny udp object-group in_restricted_ip any range 33435 33534 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny udp any object-group restricted_ip range 33435 33534 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- ephemeral ports excluding port used for attacks

access-list 120 permit udp object-group allowed_out_ip any range 49152 64999
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

access-list 120 deny udp object-group restricted_ip any range 49152 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 120 permit udp object-group allowed_in_ip any range 49152 64999
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

access-list 120 deny udp object-group in_restricted_ip any range 49152 64999 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny udp any object-group restricted_ip range 49152 64999 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

access-list 120 permit udp object-group allowed_out_ip any range 65001 65535
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

access-list 120 deny udp object-group restricted_ip any range 65001 65535 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 120 permit udp object-group allowed_in_ip any range 65001 65535 log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny udp object-group in_restricted_ip any range 65001 65535 log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny udp any object-group restricted_ip range 65001 65535 log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

!-- ****************************************************************
!-- ****************************************************************
!
!-- IP Protocols allowed and restricted
!
!-- If a protocol is enabled the implication is every port.
!--
!-- ****************************************************************
!-- ****************************************************************

!-- ICMP
!-- access-list 120 permit 1 any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny 1 any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 120 permit 1 object-group allowed_in_ip any
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny 1 object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny 1 object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-- TCP
!-- access-list 120 permit 6 any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny 6 any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 120 permit 6 object-group allowed_out_ip any log
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny 6 object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny 6 object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

 

!-- UDP
!-- access-list 120 permit 17 any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny 17 any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- access-list 120 permit 17 object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

!-- access-list 120 deny 17 object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- access-list 120 deny 17 object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

 

!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

!-- ****************************************************************
!-- ****************************************************************
!
!-- IPs
!-- Restrict IPs in and out
!
!-- If IPs are enabled all protocols to these IP is the implication.
!
!-- ****************************************************************
!-- ****************************************************************

!-- IPs normally allowed out
!-- access-list 120 permit ip any object-group allowed_out_ip
!-- object-group network allowed_out_ip
 !-- group-object unrouteable_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

!-- IPs not normally allowed out
access-list 120 deny ip object-group restricted_ip any log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-- IPs normally allowed in
!-- access-list 120 permit ip object-group allowed_in_ip any log
!-- object-group network allowed_in_ip
 !-- No connections originating from outside are
 !-- by default allowed in by this script

access-list 120 deny ip object-group in_restricted_ip any log
!-- object-group network in_restricted_ip
 !-- group-object arin_ip
 !-- APNIC.net
 !-- AfriNIC.net
 !-- LacNIC.net
 !-- RIPE.net
 !-- get.adobe.com
 !-- alphassl.com
 !-- Bank of America
 !-- Comodo
 !-- GlobalSign
 !--- space.jpl.nasa.gov
 !-- OpenSSL
 !-- netmedia1.com
 !-- OneLook.com
 !-- OpenSPF.org
 !-- Robtex.com

access-list 120 deny ip any object-group restricted_ip log
!-- object-group network restricted_ip
 !-- object-group network comcast_ip
 !-- object-group network edgecast_ip
 !-- object-group network gblx_ip
 !-- object-group network level3_ip
 !-- object-group network roadrunner_ip
 !-- object-group network afrinic_ip
 !-- object-group network apnic_ip
 !-- object-group network lacnic_ip
 !-- object-group network ripe_ip
 !-- object-group network iana_ip
 !-- object-group network misc_restricted_ip

!-------------------------------------------------------------------
!-------------------------------------------------------------------

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!-- Apply access-groups to interfaces
!
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************

!
interface FastEthernet4
 ip access-group 110 out
 ip access-group 120 in
 exit

interface Vlan1
 !-- ip access-group 115 out
 !-- ip access-group 125 in
 exit

 

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

!
!-- *******************************************************************
!-- *******************************************************************
!-- **                                                              
!-- **   Begin: Memory reservation and buffer overflow protection.  
!-- **                                                              
!-- *******************************************************************
!-- *******************************************************************

!
!-- Buffer Overflow: Detection and correction of Redzone Corruption
!-- Detects and correct a memory block overflow to allow continuing
!-- operations
!
exception memory ignore overflow io
exception memory ignore overflow processor

!
!-- Reserves the specified amount of memory in kilobytes so that the
!-- router can issue critical notifications.
!

memory reserve critical 1000

!
!-- Reserves 4096 kilobytes to ensure console access to the Cisco IOS
!-- device for administrative and troubleshoot purposes (so you don't
!-- get locked out of your own router).
!
memory reserve console 4096

!
!-- Memory Threshold Notifications
!-- Memory Threshold Notifications generas a message in order to
!-- indicate that free memory on a device has fallen lower than the
!-- configured threshold.  This enables a device to generate a
!-- notification when available free memory falls lower than the
!-- specified threshold, and again when available free memory rises to
!-- five percent higher than the specified threshold.
!
memory free low-watermark processor 20000
memory free low-watermark IO 20000

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

!
!-- Enable DNS server
ip dns server

!-- Set up DNS relay
ip dns spoofing

!
!-- disable domain lookup
no ip domain lookup

!
!-- reduce connect time timeout
ip tcp synwait-time 5

 

 

 

 

 

 

!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!--
!--  Send errors to vty(x) and to terminal port
!-- 
!--  Overflow protection is enabled at the end of the script so the
!--    terminal emulation session will not be terminated during the
!--    loading of the script
!--
!-- Load the script using a terminal emulation program like Putty
!--
!-- Hyperterminal will overflow with the default Cisco settings --
!-- 9600 8 n 1 -- and render falacious errors.
!--
!-- ****************************************************************
!-- ****************************************************************
!-- ****************************************************************
!
!-- severity=0
logging monitor emergencies
!-- severity=1
logging monitor alerts
!-- severity=2
logging monitor critical
!-- severity=3
logging monitor errors
!-- severity=4
logging monitor warnings
!-- severity=5
logging monitor notifications
!-- severity=6
logging monitor informational

!-- severity=0
logging console emergencies
!-- severity=1
logging console alerts
!-- severity=2
logging console critical
!-- severity=3
logging console errors
!-- severity=4
logging console warnings
!-- severity=5
logging console notifications
!-- severity=6
logging console informational

!-------------------------------------------------------------------
!-------------------------------------------------------------------
!-------------------------------------------------------------------

 

 

 

 

end

terminal notify
terminal monitor
monitor event-trace all-traces continuous

 

 

 





The enumeration of all of the APNIC, AfriNic, LacNic, RIPE and IANA IP's serves probably more of an accounting function than any other, since, in IOS, any resources not specifically permitted are disallowed (according to Cisco anyway).  However,  if you find yourself poking holes in the firewall for Bank of America (the example in this instance), you might find yourself wondering why you have to make a special exception for Bank of America.  Without the RIR IP map, it isn't so obvious and will be less obvious maybe a month or so after you've implemented the change. 

Cisco recommends that smaller is better and that larger scripts tend to make the firewall more unstable, since it processes permissions as lists, in linear fashion.  Rather than abbreviate the script, I took the precaution of putting some lesser routers closer to the Internet to facilitate attack monitoring and to offload some of the attack thwarting load off of the Cisco router.  Also, the bulk of the entries in this script are comments that IOS strips away, so the running image will be much smaller than the template.

I don't rightly understand spray painting on walls, writing your name in someones freshly laid cement or hacking into someone's network to steal or destroy their data.  Nonetheless, there must be someone out there doing it, else there wouldn't be a market for antivirus', heuristic antigens and firewalls and no such attacks would show up on my firewalls.

This template is my offering to others who might want the protection of a Cisco firewall and a canned script to go with it (don't forget to run Cisco Express -- twice -- before you load this script).

Good luck!


John


The router appears to be working, however, noting the traffic that blows past the first two routers and is caught by the third (the Cisco router), likely because it's configured to not allow loose source routing.  There are more levels but nothing originating inbound, i.e. unsoliticited traffic seems to be recorded on the inner firewalls.

 

Below are attempts to access the router from the Internet.  The term WAN, in this case, might be inappropriate because there is no "WAN", in any other sense than the Internet.  No one is allowed to initiate a session with the router from the Internet (or "WAN" side of the router).  Clearly these are attempted intrusions into my private network -- essentially hackers.  The only exception to this appears to be a SYN flood from 207.46.19.252 (ElementK.com) Sunday, Feb 19,2012 20:09:09 while I was logged onto itacademy.microsoftelearning.com.  (It seems ElementK.com may handle the training for that Microsoft interest.)  That is not intended to be a statement about the assigned owners of the IP's, since hackers are given to using cheap VPN's and fiegning IP's they're not assigned.  



What the Outer Router saw:

[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 07:15:49
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 07:10:16
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 07:04:41
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:59:06
[LAN access from remote] from 183.60.161.116:45127 to XXX.XXX.XXX.XXX:2222 Monday, Feb 20,2012 06:54:57
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:53:33
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:48:01
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:42:24
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:36:51
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:31:18
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:20:09
[LAN access from remote] from 109.205.249.132:38253 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:19:02
[LAN access from remote] from 109.205.249.132:62875 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:18:43
[LAN access from remote] from 109.205.249.132:37583 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:18:14
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:14:37
[LAN access from remote] from 109.205.249.132:59554 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:14:17
[LAN access from remote] from 109.205.249.132:52541 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:13:57
[LAN access from remote] from 109.205.249.132:23525 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:13:38
[LAN access from remote] from 109.205.249.132:39755 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:12:27
[LAN access from remote] from 109.205.249.132:59531 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:12:08
[LAN access from remote] from 109.205.249.132:52827 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 06:12:00
[LAN access from remote] from 75.127.64.132:28003 to XXX.XXX.XXX.XXX:22 Monday, Feb 20,2012 06:08:23
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 06:03:30
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 05:57:56
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 05:46:50
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 05:41:15
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 05:35:41
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 05:24:31
[LAN access from remote] from 76.21.19.149:57217 to XXX.XXX.XXX.XXX:23 Monday, Feb 20,2012 05:16:27
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:808 Monday, Feb 20,2012 05:10:09
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:8123 Monday, Feb 20,2012 05:10:09
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:8008 Monday, Feb 20,2012 05:10:09
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:1080 Monday, Feb 20,2012 05:10:08
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:3246 Monday, Feb 20,2012 05:10:08
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:8085 Monday, Feb 20,2012 05:10:08
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:27977 Monday, Feb 20,2012 05:10:08
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 05:02:16
[LAN access from remote] from 173.252.236.170:6000 to XXX.XXX.XXX.XXX:3389 Monday, Feb 20,2012 04:57:04
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 04:51:48
[LAN access from remote] from 81.169.143.113:63258 to XXX.XXX.XXX.XXX:5900 Monday, Feb 20,2012 04:47:28
[LAN access from remote] from 184.106.170.98:64407 to XXX.XXX.XXX.XXX:5631 Monday, Feb 20,2012 04:38:25
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:808 Monday, Feb 20,2012 04:36:48
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:6588 Monday, Feb 20,2012 04:36:48
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:8000 Monday, Feb 20,2012 04:36:47
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:8090 Monday, Feb 20,2012 04:36:47
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:9090 Monday, Feb 20,2012 04:36:47
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:3246 Monday, Feb 20,2012 04:36:47
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:8085 Monday, Feb 20,2012 04:36:46
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 04:24:53
[LAN access from remote] from 108.60.143.108:40688 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 04:03:00
[LAN access from remote] from 88.134.29.212:18091 to XXX.XXX.XXX.XXX:1080 Monday, Feb 20,2012 03:39:44
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 03:33:55
[LAN access from remote] from 184.35.11.208:65497 to XXX.XXX.XXX.XXX:51413 Monday, Feb 20,2012 03:14:23
[LAN access from remote] from 218.29.115.152:57662 to XXX.XXX.XXX.XXX:22 Monday, Feb 20,2012 03:00:34
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 02:46:29
[LAN access from remote] from 61.160.223.147:6000 to XXX.XXX.XXX.XXX:1433 Monday, Feb 20,2012 02:37:52
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 02:24:32
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 02:02:32
[LAN access from remote] from 92.162.87.56:50949 to XXX.XXX.XXX.XXX:37037 Monday, Feb 20,2012 01:49:15
[LAN access from remote] from 114.80.94.19:6000 to XXX.XXX.XXX.XXX:3389 Monday, Feb 20,2012 01:48:40
[LAN access from remote] from 221.169.35.38:53292 to XXX.XXX.XXX.XXX:23 Monday, Feb 20,2012 01:21:09
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:80 Monday, Feb 20,2012 01:20:49
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:808 Monday, Feb 20,2012 01:20:49
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:6588 Monday, Feb 20,2012 01:20:49
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:73 Monday, Feb 20,2012 01:20:49
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:2301 Monday, Feb 20,2012 01:20:49
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:8000 Monday, Feb 20,2012 01:20:48
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:3246 Monday, Feb 20,2012 01:20:48
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:8085 Monday, Feb 20,2012 01:20:48
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 01:11:04
[LAN access from remote] from 199.254.56.254:53 to XXX.XXX.XXX.XXX:31108 Monday, Feb 20,2012 00:52:08
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 00:48:53
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:6588 Monday, Feb 20,2012 00:48:46
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:8000 Monday, Feb 20,2012 00:48:45
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:1080 Monday, Feb 20,2012 00:48:45
[LAN access from remote] from 173.224.216.194:5060 to XXX.XXX.XXX.XXX:5060 Monday, Feb 20,2012 00:44:24
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Monday, Feb 20,2012 00:24:11
[LAN access from remote] from 67.132.93.66:11416 to XXX.XXX.XXX.XXX:3389 Monday, Feb 20,2012 00:12:55
[LAN access from remote] from 218.75.199.72:42010 to XXX.XXX.XXX.XXX:22 Monday, Feb 20,2012 00:06:21
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 23:56:44
[LAN access from remote] from 112.65.58.226:8016 to XXX.XXX.XXX.XXX:51413 Sunday, Feb 19,2012 23:35:05
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 23:30:50
[LAN access from remote] from 112.65.58.226:8016 to XXX.XXX.XXX.XXX:51413 Sunday, Feb 19,2012 23:14:57
[LAN access from remote] from 61.160.212.113:6000 to XXX.XXX.XXX.XXX:1433 Sunday, Feb 19,2012 23:12:14
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 23:04:42
[LAN access from remote] from 112.65.58.226:8016 to XXX.XXX.XXX.XXX:51413 Sunday, Feb 19,2012 22:55:05
[LAN access from remote] from 208.94.148.4:53 to XXX.XXX.XXX.XXX:45502 Sunday, Feb 19,2012 22:49:30
[LAN access from remote] from 94.102.49.2:2697 to XXX.XXX.XXX.XXX:53 Sunday, Feb 19,2012 22:39:31
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 22:38:28
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 22:32:46
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 22:27:03
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 22:21:19
[LAN access from remote] from 208.94.148.4:53 to XXX.XXX.XXX.XXX:31741 Sunday, Feb 19,2012 22:15:18
[LAN access from remote] from 67.23.234.143:5063 to XXX.XXX.XXX.XXX:5060 Sunday, Feb 19,2012 22:14:44
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 22:04:07
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 21:52:39
[LAN access from remote] from 66.240.185.89:6000 to XXX.XXX.XXX.XXX:3389 Sunday, Feb 19,2012 21:51:48
[LAN access from remote] from 208.94.148.4:53 to XXX.XXX.XXX.XXX:31741 Sunday, Feb 19,2012 21:46:57
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 21:46:53
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 21:35:20
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 21:29:36
[LAN access from remote] from 173.14.71.34:4816 to XXX.XXX.XXX.XXX:5900 Sunday, Feb 19,2012 21:21:50
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:808 Sunday, Feb 19,2012 21:18:23
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:6588 Sunday, Feb 19,2012 21:18:23
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:8118 Sunday, Feb 19,2012 21:18:23
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:8000 Sunday, Feb 19,2012 21:18:22
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:9000 Sunday, Feb 19,2012 21:18:22
[LAN access from remote] from 58.218.199.147:12200 to XXX.XXX.XXX.XXX:27977 Sunday, Feb 19,2012 21:18:22
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 21:00:57
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:2301 Sunday, Feb 19,2012 20:55:18
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:1080 Sunday, Feb 19,2012 20:55:18
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:9090 Sunday, Feb 19,2012 20:55:17
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:9000 Sunday, Feb 19,2012 20:55:17
[LAN access from remote] from 221.1.220.149:12200 to XXX.XXX.XXX.XXX:9415 Sunday, Feb 19,2012 20:55:17
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 20:55:13
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 20:49:31
[LAN access from remote] from 58.218.199.250:12200 to XXX.XXX.XXX.XXX:8000 Sunday, Feb 19,2012 20:48:53
[LAN access from remote] from 58.218.199.250:12200 to XXX.XXX.XXX.XXX:8090 Sunday, Feb 19,2012 20:48:53
[LAN access from remote] from 58.218.199.250:12200 to XXX.XXX.XXX.XXX:8085 Sunday, Feb 19,2012 20:48:52
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 20:38:08
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 20:32:27
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 20:21:03
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 20:15:19
[DOS attack: FIN Scan] attack packets in last 20 sec from ip [207.46.19.252], Sunday, Feb 19,2012 20:09:09
[LAN access from remote] from 188.132.229.156:48227 to XXX.XXX.XXX.XXX:8443 Sunday, Feb 19,2012 19:56:34
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 19:52:35
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 19:46:52
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 19:41:11
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 19:35:28
[LAN access from remote] from 58.218.199.87:12200 to XXX.XXX.XXX.XXX:6515 Sunday, Feb 19,2012 19:29:46

 

What the level 2 router saw (notice that many of these IP's are not allowed to or from the inner levels so no traffic actually originated to their IP addresses).  The balance of the errors may have resulted from unexpected router latency or from TCP sequence prediction attacks (packet sequence attacks).

[INFO] Sun Feb 19 21:30:03 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:49465 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 21:18:05 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:49453 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 21:13:05 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:49441 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 21:11:50 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:49432 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 21:03:05 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:49430 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 20:57:25 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:49422 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 20:54:24 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:49404 to 192.149.252.75:80 with unexpected acknowledgement 2823068384 (expected 2823068383 to 2823068383)
[INFO] Sun Feb 19 20:54:24 2012 Above message repeated 1 times
[INFO] Sun Feb 19 20:13:31 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:49325 to 192.149.252.75:80 with unexpected acknowledgement 245126273 (expected 245126272 to 245126272)
[INFO] Sun Feb 19 20:13:31 2012 Above message repeated 1 times
[INFO] Sun Feb 19 20:11:11 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:49277 to 192.149.252.75:80 with unexpected acknowledgement 75136179 (expected 75136178 to 75136178)
[INFO] Sun Feb 19 20:11:11 2012 Above message repeated 1 times
[INFO] Sun Feb 19 20:02:49 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:49173 to 207.46.19.252:443 with unexpected acknowledgement 3387710394 (expected 3387711358 to 3387713155)
[INFO] Sun Feb 19 20:02:34 2012 Above message repeated 11 times
[INFO] Sun Feb 19 19:35:43 2012 Blocked incoming TCP packet from 74.125.239.8:80 to XXX.XXX.XXX.XXX:32791 with unexpected sequence 3354206235 (expected 3025176599 to 3025725464)
[INFO] Sun Feb 19 19:35:34 2012 Above message repeated 5 times
[INFO] Sun Feb 19 19:35:33 2012 Blocked incoming TCP packet from 74.125.239.8:80 to XXX.XXX.XXX.XXX:32790 with unexpected sequence 3212765891 (expected 2883687326 to 2884236191)
[INFO] Sun Feb 19 19:35:24 2012 Above message repeated 5 times
[INFO] Sun Feb 19 19:34:58 2012 Blocked incoming TCP packet from 206.111.11.50:80 to XXX.XXX.XXX.XXX:32998 with unexpected sequence 3074977477 (expected 2745704065 to 2746252930)
[INFO] Sun Feb 19 19:34:58 2012 Blocked incoming TCP packet from 206.111.11.50:80 to XXX.XXX.XXX.XXX:32997 with unexpected sequence 3073442064 (expected 2744167580 to 2744716445)
[INFO] Sun Feb 19 19:34:55 2012 Blocked incoming TCP packet from 206.111.11.50:80 to XXX.XXX.XXX.XXX:32998 with unexpected sequence 3074977477 (expected 2745704065 to 2746252930)
[INFO] Sun Feb 19 19:34:55 2012 Blocked incoming TCP packet from 206.111.11.50:80 to XXX.XXX.XXX.XXX:32997 with unexpected sequence 3073442064 (expected 2744167580 to 2744716445)
[INFO] Sun Feb 19 19:34:54 2012 Above message repeated 1 times
[INFO] Sun Feb 19 19:34:54 2012 Blocked incoming TCP packet from 206.111.11.50:80 to XXX.XXX.XXX.XXX:32998 with unexpected sequence 3074977477 (expected 2745704065 to 2746252930)
[INFO] Sun Feb 19 19:34:53 2012 Blocked incoming TCP packet from 206.111.11.50:80 to XXX.XXX.XXX.XXX:32997 with unexpected sequence 3073442064 (expected 2744167580 to 2744716445)
[INFO] Sun Feb 19 19:34:53 2012 Blocked incoming TCP packet from 206.111.11.50:80 to XXX.XXX.XXX.XXX:32998 with unexpected sequence 3074977477 (expected 2745704065 to 2746252930)
[INFO] Sun Feb 19 19:34:53 2012 Above message repeated 1 times
[INFO] Sun Feb 19 19:34:53 2012 Blocked incoming TCP packet from 206.111.11.50:80 to XXX.XXX.XXX.XXX:32997 with unexpected sequence 3073442064 (expected 2744167580 to 2744716445)
[INFO] Sun Feb 19 19:34:34 2012 Blocked incoming TCP packet from 74.125.224.232:80 to XXX.XXX.XXX.XXX:2768 with unexpected sequence 3103315497 (expected 2774335433 to 2774884298)
[INFO] Sun Feb 19 19:34:29 2012 Above message repeated 4 times
[INFO] Sun Feb 19 19:28:50 2012 Blocked incoming TCP packet from 74.125.224.204:80 to XXX.XXX.XXX.XXX:2765 with unexpected sequence 3293922542 (expected 2965295903 to 2965844768)
[INFO] Sun Feb 19 19:28:40 2012 Above message repeated 5 times
[INFO] Sun Feb 19 19:25:40 2012 Blocked incoming TCP packet from 74.125.224.167:80 to XXX.XXX.XXX.XXX:2764 with unexpected sequence 1720280384 (expected 1390249524 to 1390798389)
[INFO] Sun Feb 19 19:25:38 2012 Blocked incoming TCP packet from 74.125.224.167:80 to XXX.XXX.XXX.XXX:2763 with unexpected sequence 1688577062 (expected 1359294977 to 1359843842)
[INFO] Sun Feb 19 19:25:35 2012 Blocked incoming TCP packet from 74.125.224.167:80 to XXX.XXX.XXX.XXX:2764 with unexpected sequence 1720280384 (expected 1390249524 to 1390798389)
[INFO] Sun Feb 19 19:25:33 2012 Blocked incoming TCP packet from 74.125.224.167:80 to XXX.XXX.XXX.XXX:2763 with unexpected sequence 1688577062 (expected 1359294977 to 1359843842)
[INFO] Sun Feb 19 19:25:33 2012 Blocked incoming TCP packet from 74.125.224.167:80 to XXX.XXX.XXX.XXX:2764 with unexpected sequence 1720280384 (expected 1390249524 to 1390798389)
[INFO] Sun Feb 19 19:25:30 2012 Above message repeated 3 times
[INFO] Sun Feb 19 19:25:30 2012 Blocked incoming TCP packet from 74.125.224.167:80 to XXX.XXX.XXX.XXX:2763 with unexpected sequence 1688577062 (expected 1359294977 to 1359843842)
[INFO] Sun Feb 19 19:25:28 2012 Above message repeated 3 times
[INFO] Sun Feb 19 19:24:55 2012 Blocked incoming TCP packet from 208.117.239.86:80 to XXX.XXX.XXX.XXX:2762 with unexpected sequence 2070967896 (expected 1741736309 to 1742285174)
[INFO] Sun Feb 19 19:24:46 2012 Above message repeated 5 times
[INFO] Sun Feb 19 19:24:26 2012 Blocked incoming TCP packet from 74.125.213.241:80 to XXX.XXX.XXX.XXX:2761 with unexpected sequence 2282605934 (expected 1953627032 to 1954175897)
[INFO] Sun Feb 19 19:24:17 2012 Above message repeated 5 times
[INFO] Sun Feb 19 19:22:30 2012 Blocked incoming TCP packet from 74.125.239.7:80 to XXX.XXX.XXX.XXX:2760 with unexpected sequence 1910632438 (expected 1580648177 to 1581197042)
[INFO] Sun Feb 19 19:22:21 2012 Above message repeated 5 times
[INFO] Sun Feb 19 19:19:21 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32995 with unexpected sequence 844663434 (expected 505103814 to 505652679)
[INFO] Sun Feb 19 19:19:12 2012 Above message repeated 5 times
[INFO] Sun Feb 19 19:19:10 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32989 with unexpected sequence 682329904 (expected 334529277 to 335078142)
[INFO] Sun Feb 19 19:19:10 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32993 with unexpected sequence 680526071 (expected 338509766 to 339058631)
[INFO] Sun Feb 19 19:19:05 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32991 with unexpected sequence 684143371 (expected 340610465 to 341159330)
[INFO] Sun Feb 19 19:19:05 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32990 with unexpected sequence 691587304 (expected 343431474 to 343980339)
[INFO] Sun Feb 19 19:19:05 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32994 with unexpected sequence 690374485 (expected 337753606 to 338302471)
[INFO] Sun Feb 19 19:19:05 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32993 with unexpected sequence 680526071 (expected 338509766 to 339058631)
[INFO] Sun Feb 19 19:19:05 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32989 with unexpected sequence 682329904 (expected 334529277 to 335078142)
[INFO] Sun Feb 19 19:19:03 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32991 with unexpected sequence 684143371 (expected 340610465 to 341159330)
[INFO] Sun Feb 19 19:19:03 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32990 with unexpected sequence 691587304 (expected 343431474 to 343980339)
[INFO] Sun Feb 19 19:19:03 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32994 with unexpected sequence 690374485 (expected 337753606 to 338302471)
[INFO] Sun Feb 19 19:19:03 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32993 with unexpected sequence 680526071 (expected 338509766 to 339058631)
[INFO] Sun Feb 19 19:19:03 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32989 with unexpected sequence 682329904 (expected 334529277 to 335078142)
[INFO] Sun Feb 19 19:19:02 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32991 with unexpected sequence 684143371 (expected 340610465 to 341159330)
[INFO] Sun Feb 19 19:19:02 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32990 with unexpected sequence 691587304 (expected 343431474 to 343980339)
[INFO] Sun Feb 19 19:19:02 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32994 with unexpected sequence 690374485 (expected 337753606 to 338302471)
[INFO] Sun Feb 19 19:19:02 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32993 with unexpected sequence 680526071 (expected 338509766 to 339058631)
[INFO] Sun Feb 19 19:19:02 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32989 with unexpected sequence 682329904 (expected 334529277 to 335078142)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32991 with unexpected sequence 684143371 (expected 340610465 to 341159330)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32990 with unexpected sequence 691587304 (expected 343431474 to 343980339)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32994 with unexpected sequence 690374485 (expected 337753606 to 338302471)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32993 with unexpected sequence 680526071 (expected 338509766 to 339058631)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32989 with unexpected sequence 682329904 (expected 334529277 to 335078142)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32993 with unexpected sequence 680526071 (expected 338509766 to 339058631)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32994 with unexpected sequence 690374485 (expected 337753606 to 338302471)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32989 with unexpected sequence 682329904 (expected 334529277 to 335078142)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32991 with unexpected sequence 684143371 (expected 340610465 to 341159330)
[INFO] Sun Feb 19 19:19:01 2012 Blocked incoming TCP packet from 74.125.239.6:80 to XXX.XXX.XXX.XXX:32990 with unexpected sequence 691587304 (expected 343431474 to 343980339)
[INFO] Sun Feb 19 19:16:03 2012 Blocked incoming TCP packet from 192.150.16.117:80 to XXX.XXX.XXX.XXX:40390 with unexpected acknowledgement 2493729961 (expected 2493730137 to 2493730138)
[INFO] Sun Feb 19 18:54:21 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2759 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:21 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2754 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:21 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2757 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:21 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2758 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:21 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2756 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:20 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2755 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:20 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2759 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:20 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2758 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:20 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2757 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:20 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2756 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:20 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2755 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:54:20 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:2754 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:52:42 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33061 with unexpected sequence 2710237147 (expected 3767636709 to 3768185574)
[INFO] Sun Feb 19 18:52:42 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33065 with unexpected sequence 2707734802 (expected 3759524617 to 3760073482)
[INFO] Sun Feb 19 18:52:42 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33063 with unexpected sequence 2703198314 (expected 3768928851 to 3769477716)
[INFO] Sun Feb 19 18:52:41 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33066 with unexpected sequence 2705061728 (expected 3758296897 to 3758845762)
[INFO] Sun Feb 19 18:52:41 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33064 with unexpected sequence 2705357780 (expected 3758321547 to 3758870412)
[INFO] Sun Feb 19 18:52:41 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33062 with unexpected sequence 2712958113 (expected 3764849220 to 3765398085)
[INFO] Sun Feb 19 18:51:39 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33062 with unexpected sequence 3758711968 (expected 2712683681 to 2713232546)
[INFO] Sun Feb 19 18:51:38 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33063 with unexpected sequence 3762794327 (expected 2702923882 to 2703472747)
[INFO] Sun Feb 19 18:51:38 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33066 with unexpected sequence 3785715910 (expected 2704787296 to 2705336161)
[INFO] Sun Feb 19 18:51:38 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33064 with unexpected sequence 3785741101 (expected 2705083348 to 2705632213)
[INFO] Sun Feb 19 18:51:38 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33065 with unexpected sequence 3786944241 (expected 2707460370 to 2708009235)
[INFO] Sun Feb 19 18:51:38 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33061 with unexpected sequence 3761499610 (expected 2709962715 to 2710511580)
[INFO] Sun Feb 19 18:51:33 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33062 with unexpected sequence 3758711968 (expected 2712683681 to 2713232546)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33063 with unexpected sequence 3762794327 (expected 2702923882 to 2703472747)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33064 with unexpected sequence 3785741101 (expected 2705083348 to 2705632213)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33066 with unexpected sequence 3785715910 (expected 2704787296 to 2705336161)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33065 with unexpected sequence 3786944241 (expected 2707460370 to 2708009235)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33061 with unexpected sequence 3761499610 (expected 2709962715 to 2710511580)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33065 with unexpected sequence 3786944241 (expected 2707460370 to 2708009235)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33063 with unexpected sequence 3762794327 (expected 2702923882 to 2703472747)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33064 with unexpected sequence 3785741101 (expected 2705083348 to 2705632213)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33066 with unexpected sequence 3785715910 (expected 2704787296 to 2705336161)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33062 with unexpected sequence 3758711968 (expected 2712683681 to 2713232546)
[INFO] Sun Feb 19 18:51:32 2012 Blocked incoming TCP packet from 184.24.20.43:443 to XXX.XXX.XXX.XXX:33061 with unexpected sequence 3761499610 (expected 2709962715 to 2710511580)
[INFO] Sun Feb 19 18:49:40 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:33458 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 18:49:38 2012 Above message repeated 3 times
[INFO] Sun Feb 19 18:46:54 2012 Blocked incoming TCP packet from 74.125.224.233:80 to XXX.XXX.XXX.XXX:33323 with unexpected sequence 130011786 (expected 4096149074 to 4096697939)
[INFO] Sun Feb 19 18:46:49 2012 Above message repeated 4 times
[INFO] Sun Feb 19 18:40:42 2012 Blocked incoming TCP packet from 184.27.193.231:80 to XXX.XXX.XXX.XXX:33414 with unexpected sequence 2156425131 (expected 3250443876 to 3250992741)
[INFO] Sun Feb 19 18:40:36 2012 Blocked incoming TCP packet from 184.27.193.231:80 to XXX.XXX.XXX.XXX:33413 with unexpected sequence 1635745261 (expected 3221747996 to 3222296861)
[INFO] Sun Feb 19 18:40:30 2012 Blocked incoming TCP packet from 184.27.193.231:80 to XXX.XXX.XXX.XXX:33414 with unexpected sequence 2156425131 (expected 3250443876 to 3250992741)
[INFO] Sun Feb 19 18:40:24 2012 Blocked incoming TCP packet from 184.27.193.231:80 to XXX.XXX.XXX.XXX:33413 with unexpected sequence 1635745261 (expected 3221747996 to 3222296861)
[INFO] Sun Feb 19 18:40:24 2012 Blocked incoming TCP packet from 184.27.193.231:80 to XXX.XXX.XXX.XXX:33414 with unexpected sequence 2156425131 (expected 3250443876 to 3250992741)
[INFO] Sun Feb 19 18:40:24 2012 Above message repeated 1 times
[INFO] Sun Feb 19 18:40:24 2012 Blocked incoming TCP packet from 184.27.193.231:80 to XXX.XXX.XXX.XXX:33413 with unexpected sequence 1635745261 (expected 3221747996 to 3222296861)
[INFO] Sun Feb 19 18:40:18 2012 Above message repeated 2 times
[INFO] Sun Feb 19 17:28:21 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:52293 to 74.125.239.7:80 as RST received but there is no active connection
[INFO] Sun Feb 19 16:56:43 2012 Blocked incoming TCP packet from 97.74.107.143:443 to XXX.XXX.XXX.XXX:33095 with unexpected sequence 3085942990 (expected 2337226809 to 2337775674)
[INFO] Sun Feb 19 16:56:37 2012 Blocked incoming TCP packet from 97.74.107.143:443 to XXX.XXX.XXX.XXX:33095 with unexpected sequence 2502438056 (expected 2337226809 to 2337775674)
[INFO] Sun Feb 19 16:56:05 2012 Blocked incoming TCP packet from 97.74.107.143:443 to XXX.XXX.XXX.XXX:33084 with unexpected sequence 3662358585 (expected 3230590188 to 3231139053)
[INFO] Sun Feb 19 16:55:59 2012 Blocked incoming TCP packet from 97.74.107.143:443 to XXX.XXX.XXX.XXX:33084 with unexpected sequence 1778774427 (expected 3230590188 to 3231139053)
[INFO] Sun Feb 19 16:55:26 2012 Blocked incoming TCP packet from 97.74.107.143:443 to XXX.XXX.XXX.XXX:33076 with unexpected sequence 1606971604 (expected 673496230 to 674045095)
[INFO] Sun Feb 19 16:55:20 2012 Blocked incoming TCP packet from 97.74.107.143:443 to XXX.XXX.XXX.XXX:33076 with unexpected sequence 3032498997 (expected 673496230 to 674045095)
[INFO] Sun Feb 19 16:51:45 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:42184 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 16:49:53 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:33327 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 16:49:38 2012 Blocked outgoing TCP packet from 63.253.14.112:33327 to 63.253.14.116:443 as RST is not allowed in state NO
[INFO] Sun Feb 19 16:49:29 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:33327 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 16:49:07 2012 Above message repeated 3 times
[INFO] Sun Feb 19 15:37:32 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:52000 to 64.94.107.17:80 with unexpected acknowledgement 1689865577 (expected 1689865576 to 1689865576)
[INFO] Sun Feb 19 15:37:32 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:34:46 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51920 to 74.125.224.185:80 with unexpected acknowledgement 2984909776 (expected 2984909775 to 2984909775)
[INFO] Sun Feb 19 15:34:46 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:34:01 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51918 to 74.125.224.249:80 with unexpected acknowledgement 1540373351 (expected 1540373350 to 1540373350)
[INFO] Sun Feb 19 15:33:45 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51908 to 74.125.224.185:80 with unexpected acknowledgement 2008073443 (expected 2008073442 to 2008073442)
[INFO] Sun Feb 19 15:33:42 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51904 to 74.125.224.186:80 with unexpected acknowledgement 3469563358 (expected 3469563357 to 3469563357)
[INFO] Sun Feb 19 15:33:42 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:33:41 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51893 to 74.125.224.186:80 with unexpected acknowledgement 3451392579 (expected 3451392578 to 3451392578)
[INFO] Sun Feb 19 15:33:41 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:33:34 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:51892 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 15:33:31 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:32:58 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51884 to 74.125.239.26:80 with unexpected acknowledgement 2778966910 (expected 2778966909 to 2778966909)
[INFO] Sun Feb 19 15:32:58 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:30:51 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51847 to 74.125.224.186:80 with unexpected acknowledgement 776384440 (expected 776384439 to 776384439)
[INFO] Sun Feb 19 15:30:51 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:30:34 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51832 to 74.125.239.26:80 with unexpected acknowledgement 520053184 (expected 520053183 to 520053183)
[INFO] Sun Feb 19 15:30:34 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:30:16 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51828 to 74.125.239.26:80 with unexpected acknowledgement 255308061 (expected 255308060 to 255308060)
[INFO] Sun Feb 19 15:29:52 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51826 to 74.125.224.250:80 with unexpected acknowledgement 611574005 (expected 611574004 to 611574004)
[INFO] Sun Feb 19 15:29:49 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:51824 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 15:29:33 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51812 to 74.125.239.26:80 with unexpected acknowledgement 3853234270 (expected 3853234269 to 3853234269)
[INFO] Sun Feb 19 15:29:33 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:28:41 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:51802 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 15:21:02 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51598 to 74.125.224.249:80 with unexpected acknowledgement 2202340863 (expected 2202340862 to 2202340862)
[INFO] Sun Feb 19 15:20:54 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:51597 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 15:20:52 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:20:27 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51588 to 74.125.239.25:80 with unexpected acknowledgement 1818548397 (expected 1818548396 to 1818548396)
[INFO] Sun Feb 19 15:19:44 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51585 to 74.125.224.249:80 with unexpected acknowledgement 992980375 (expected 992980374 to 992980374)
[INFO] Sun Feb 19 15:19:26 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51583 to 74.125.224.249:80 with unexpected acknowledgement 701175614 (expected 701175613 to 701175613)
[INFO] Sun Feb 19 15:19:26 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:18:55 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51573 to 74.125.224.249:80 with unexpected acknowledgement 215777708 (expected 215777707 to 215777707)
[INFO] Sun Feb 19 15:18:54 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:16:44 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:51549 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 15:14:20 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51483 to 107.14.32.176:80 with unexpected acknowledgement 360501919 (expected 360501918 to 360501918)
[INFO] Sun Feb 19 15:14:20 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:14:08 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51462 to 107.14.32.176:80 with unexpected acknowledgement 173652524 (expected 173652523 to 173652523)
[INFO] Sun Feb 19 15:13:51 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51437 to 107.14.32.176:80 with unexpected acknowledgement 4203426077 (expected 4203426076 to 4203426076)
[INFO] Sun Feb 19 15:13:51 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:11:50 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:51359 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 15:08:27 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:51296 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 15:04:19 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51261 to 107.14.32.147:80 with unexpected acknowledgement 3862698340 (expected 3862698339 to 3862698339)
[INFO] Sun Feb 19 15:04:19 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:04:19 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51256 to 74.125.239.25:80 with unexpected acknowledgement 3786689239 (expected 3786689238 to 3786689238)
[INFO] Sun Feb 19 15:04:19 2012 Above message repeated 1 times
[INFO] Sun Feb 19 15:04:19 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51257 to 74.125.239.25:80 with unexpected acknowledgement 3791213906 (expected 3791213905 to 3791213905)
[INFO] Sun Feb 19 15:02:03 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:51227 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 14:59:04 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:51183 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 14:57:05 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51181 to 64.94.107.23:80 with unexpected acknowledgement 1405789952 (expected 1405789951 to 1405789951)
[INFO] Sun Feb 19 14:57:05 2012 Above message repeated 1 times
[INFO] Sun Feb 19 14:55:53 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51169 to 68.233.76.12:443 with unexpected acknowledgement 2691594118 (expected 2691595498 to 2691596659)
[INFO] Sun Feb 19 14:55:38 2012 Above message repeated 11 times
[INFO] Sun Feb 19 14:46:08 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51029 to 74.125.224.219:80 with unexpected acknowledgement 1829045203 (expected 1829045202 to 1829045202)
[INFO] Sun Feb 19 14:46:08 2012 Above message repeated 1 times
[INFO] Sun Feb 19 14:46:08 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51028 to 74.125.224.219:80 with unexpected acknowledgement 1825693862 (expected 1825693861 to 1825693861)
[INFO] Sun Feb 19 14:46:08 2012 Above message repeated 1 times
[INFO] Sun Feb 19 14:46:07 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51027 to 74.125.224.219:80 with unexpected acknowledgement 1829583374 (expected 1829583373 to 1829583373)
[INFO] Sun Feb 19 14:46:07 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51026 to 74.125.224.219:80 with unexpected acknowledgement 1836520141 (expected 1836520140 to 1836520140)
[INFO] Sun Feb 19 14:46:07 2012 Above message repeated 1 times
[INFO] Sun Feb 19 14:46:07 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51025 to 74.125.224.219:80 with unexpected acknowledgement 1829102230 (expected 1829102229 to 1829102229)
[INFO] Sun Feb 19 14:46:07 2012 Above message repeated 1 times
[INFO] Sun Feb 19 14:43:53 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:50901 to 184.24.21.222:443 with unexpected acknowledgement 831352218 (expected 831353670 to 831353761)
[INFO] Sun Feb 19 14:43:37 2012 Above message repeated 13 times
[INFO] Sun Feb 19 14:39:59 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:50838 to 65.54.75.44:80 with unexpected acknowledgement 252667731 (expected 252667730 to 252667730)
[INFO] Sun Feb 19 14:39:59 2012 Above message repeated 1 times
[INFO] Sun Feb 19 14:39:58 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:50829 to 74.125.224.187:80 with unexpected acknowledgement 174767878 (expected 174767877 to 174767877)
[INFO] Sun Feb 19 14:39:58 2012 Above message repeated 1 times
[INFO] Sun Feb 19 13:55:06 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:50673 to 184.24.21.222:443 with unexpected acknowledgement 823473090 (expected 823474542 to 823474633)
[INFO] Sun Feb 19 13:54:50 2012 Above message repeated 14 times
[INFO] Sun Feb 19 13:51:48 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:50595 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 13:40:36 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:50308 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 13:39:32 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:50284 to 216.218.239.102:443 with unexpected acknowledgement 50504094 (expected 50505959 to 50505960)
[INFO] Sun Feb 19 13:39:20 2012 Above message repeated 7 times
[INFO] Sun Feb 19 12:21:53 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:49211 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 10:26:40 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:51174 to 171.159.228.181:443 with unexpected acknowledgement 629036688 (expected 629037354 to 629039561)
[INFO] Sun Feb 19 10:26:24 2012 Above message repeated 11 times
[INFO] Sun Feb 19 09:01:37 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:50710 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 08:55:19 2012 Blocked incoming TCP packet from 63.253.15.12:443 to 63.253.15.16:50705 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 08:41:49 2012 Blocked incoming TCP packet from 63.253.15.12:80 to 63.253.15.16:49549 as SYN:ACK is not allowed in state NO
[INFO] Sun Feb 19 08:41:46 2012 Above message repeated 1 times
[INFO] Sun Feb 19 08:36:38 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:49291 to 97.74.107.143:443 with unexpected acknowledgement 2999587382 (expected 2999589649 to 2999589650)
[INFO] Sun Feb 19 08:36:26 2012 Above message repeated 7 times
[INFO] Sun Feb 19 08:17:00 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:49292 to 97.74.107.143:443 with unexpected acknowledgement 888935725 (expected 888941282 to 888941320)
[INFO] Sun Feb 19 08:16:43 2012 Above message repeated 11 times
[INFO] Sun Feb 19 08:16:38 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:49280 to 97.74.107.143:443 with unexpected acknowledgement 4241439485 (expected 4241445042 to 4241445080)
[INFO] Sun Feb 19 08:16:23 2012 Above message repeated 11 times
[INFO] Sun Feb 19 08:16:17 2012 Blocked outgoing TCP packet from XXX.XXX.XXX.XXX:49268 to 97.74.107.143:443 with unexpected acknowledgement 3947278057 (expected 3947290551 to 3947290589)
[INFO] Sun Feb 19 08:15:58 2012 Above message repeated 14 times

These are the events that got past the first two routers (note how some IP's appear to be blocked sending traffic and receiving traffic, though what is more likely happening is that the addresses in the packets are being tailored to appear to be coming from within the router, and are likely delivered using loose source routing -- with this router designated as a point along the route).

 
000067: Feb 19 08:34:43.119 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 1 packet 
000068: Feb 19 08:36:35.891 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(49241) -> 217.108.165.113(80), 1 packet 
000069: Feb 19 08:37:06.043 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(49241), 1 packet 
000070: Feb 19 08:40:17.651 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 2 packets 
000071: Feb 19 08:42:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(49241) -> 217.108.165.113(80), 3 packets 
000072: Feb 19 10:26:22.263 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51167) -> 178.255.83.1(80), 1 packet 
000073: Feb 19 10:26:32.275 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51168) -> 178.255.83.2(80), 1 packet 
000074: Feb 19 10:26:37.267 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51169) -> 178.255.83.1(80), 1 packet 
000075: Feb 19 10:26:51.847 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51175) -> 178.255.83.2(80), 1 packet 
000076: Feb 19 10:26:57.475 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51176) -> 178.255.83.1(80), 1 packet 
000077: Feb 19 10:27:02.635 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(51168), 1 packet 
000078: Feb 19 10:27:07.379 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51177) -> 178.255.83.2(80), 1 packet 
000079: Feb 19 10:27:12.747 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51190) -> 178.255.83.1(80), 1 packet 
000080: Feb 19 10:27:22.091 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(51175), 1 packet 
000081: Feb 19 10:27:27.723 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.1(80) -> XXX.XXX.XXX.XXX(51176), 1 packet 
000082: Feb 19 10:27:37.963 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(51177), 1 packet 
000083: Feb 19 10:27:43.083 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.1(80) -> XXX.XXX.XXX.XXX(51190), 1 packet 
000084: Feb 19 10:30:09.867 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.96.23.170(80) -> XXX.XXX.XXX.XXX(1414), 1 packet 
000085: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51167) -> 178.255.83.1(80), 3 packets 
000086: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51168) -> 178.255.83.2(80), 3 packets 
000087: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51169) -> 178.255.83.1(80), 3 packets 
000088: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51175) -> 178.255.83.2(80), 3 packets 
000089: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.1(80) -> XXX.XXX.XXX.XXX(51167), 1 packet 
000090: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51176) -> 178.255.83.1(80), 3 packets 
000091: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51177) -> 178.255.83.2(80), 3 packets 
000092: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.1(80) -> XXX.XXX.XXX.XXX(51169), 1 packet 
000093: Feb 19 10:32:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51190) -> 178.255.83.1(80), 3 packets 
000094: Feb 19 10:35:17.651 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.96.23.170(80) -> XXX.XXX.XXX.XXX(1414), 6 packets 
000095: Feb 19 12:23:09.406 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(49250) -> 217.108.165.113(80), 1 packet 
000096: Feb 19 12:23:39.794 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(49250), 1 packet 
000097: Feb 19 12:28:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(49250) -> 217.108.165.113(80), 3 packets 
000098: Feb 19 12:35:28.154 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 1 packet 
000099: Feb 19 12:41:17.650 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 2 packets 
000100: Feb 19 13:44:58.442 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50490) -> 193.0.19.43(443), 1 packet 
000101: Feb 19 13:45:28.874 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 193.0.19.43(443) -> XXX.XXX.XXX.XXX(50490), 1 packet 
000102: Feb 19 13:50:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50491) -> 193.0.19.43(443), 4 packets 
000103: Feb 19 13:50:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50490) -> 193.0.19.43(443), 3 packets 
000104: Feb 19 13:51:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 193.0.19.43(443) -> XXX.XXX.XXX.XXX(50491), 1 packet 
000105: Feb 19 13:54:46.838 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50616) -> 217.108.165.113(80), 1 packet 
000106: Feb 19 13:55:17.234 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(50616), 1 packet 
000107: Feb 19 14:00:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50616) -> 217.108.165.113(80), 3 packets 
000108: Feb 19 14:40:47.126 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50842) -> 217.108.165.113(80), 1 packet 
000109: Feb 19 14:41:17.562 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(50842), 1 packet 
000110: Feb 19 14:42:04.122 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50869) -> 217.108.165.113(80), 1 packet 
000111: Feb 19 14:42:34.466 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(50869), 1 packet 
000112: Feb 19 14:46:05.982 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50991) -> 178.255.83.2(80), 1 packet 
000113: Feb 19 14:46:16.002 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50992) -> 178.255.83.2(80), 1 packet 
000114: Feb 19 14:46:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50842) -> 217.108.165.113(80), 3 packets 
000115: Feb 19 14:46:20.926 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50993) -> 178.255.83.2(80), 1 packet 
000116: Feb 19 14:46:23.430 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50994) -> 178.255.83.2(80), 1 packet 
000117: Feb 19 14:46:24.722 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50995) -> 178.255.83.1(80), 1 packet 
000118: Feb 19 14:46:25.766 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50999) -> 178.255.83.2(80), 1 packet 
000119: Feb 19 14:46:36.170 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(50991), 1 packet 
000120: Feb 19 14:46:46.410 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(50992), 1 packet 
000121: Feb 19 14:46:51.530 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(50993), 1 packet 
000122: Feb 19 14:46:54.090 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(50994), 1 packet 
000123: Feb 19 14:46:55.114 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.1(80) -> XXX.XXX.XXX.XXX(50995), 1 packet 
000124: Feb 19 14:46:56.138 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.1(80) -> XXX.XXX.XXX.XXX(50997), 1 packet 
000125: Feb 19 14:47:17.650 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 3 packets
000126: Feb 19 14:51:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50992) -> 178.255.83.2(80), 3 packets 
000127: Feb 19 14:51:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50991) -> 178.255.83.2(80), 3 packets 
000128: Feb 19 14:52:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50995) -> 178.255.83.1(80), 3 packets 
000129: Feb 19 14:52:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50993) -> 178.255.83.2(80), 3 packets 
000130: Feb 19 14:52:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50996) -> 178.255.83.2(80), 4 packets 
000131: Feb 19 14:52:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50994) -> 178.255.83.2(80), 3 packets 
000132: Feb 19 14:52:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50999) -> 178.255.83.2(80), 3 packets 
000133: Feb 19 14:52:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(50997) -> 178.255.83.1(80), 4 packets 
000134: Feb 19 14:52:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(50996), 1 packet 
000135: Feb 19 14:52:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.2(80) -> XXX.XXX.XXX.XXX(50999), 1 packet 
000136: Feb 19 15:04:43.598 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51262) -> 93.184.216.119(80), 1 packet 
000137: Feb 19 15:05:14.178 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(51262), 1 packet 
000138: Feb 19 15:10:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51262) -> 93.184.216.119(80), 3 packets 
000139: Feb 19 15:13:59.686 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51406) -> 178.63.58.188(80), 1 packet 
000140: Feb 19 15:14:29.858 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.63.58.188(80) -> XXX.XXX.XXX.XXX(51406), 1 packet 
000141: Feb 19 15:16:18.478 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1594719241 1492 bytes is out-of-order; expected seq:2700223371. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:51544 to 208.79.104.10:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000142: Feb 19 15:16:22.550 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1593867273 1492 bytes is out-of-order; expected seq:2701075339. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:51544 to 208.79.104.10:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000143: Feb 19 15:19:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51406) -> 178.63.58.188(80), 3 packets 
000144: Feb 19 15:29:07.410 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51807) -> 95.215.16.13(80), 1 packet 
000145: Feb 19 15:29:37.754 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 95.215.16.13(80) -> XXX.XXX.XXX.XXX(51807), 1 packet 
000146: Feb 19 15:34:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51807) -> 95.215.16.13(80), 3 packets 
000147: Feb 19 16:07:10.162 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52022) -> 217.108.165.113(80), 1 packet 
000148: Feb 19 16:07:40.754 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(52022), 1 packet 
000149: Feb 19 16:08:09.414 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52047) -> 217.108.165.113(80), 1 packet 
000150: Feb 19 16:08:40.146 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(52047), 1 packet 
000151: Feb 19 16:08:46.438 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52055) -> 217.108.165.113(80), 1 packet 
000152: Feb 19 16:08:52.666 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52064) -> 217.108.165.113(80), 1 packet 
000153: Feb 19 16:09:17.026 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(52055), 1 packet 
000154: Feb 19 16:09:23.170 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(52064), 1 packet 
000155: Feb 19 16:12:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52022) -> 217.108.165.113(80), 3 packets 
000156: Feb 19 16:13:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52047) -> 217.108.165.113(80), 3 packets 
000157: Feb 19 16:14:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52064) -> 217.108.165.113(80), 3 packets 
000158: Feb 19 16:14:17.650 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52055) -> 217.108.165.113(80), 3 packets 
000159: Feb 19 16:14:45.410 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52111) -> 217.108.165.113(80), 1 packet 
000160: Feb 19 16:15:16.082 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(52111), 1 packet 
000161: Feb 19 16:15:51.026 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:2143107977 1492 bytes is out-of-order; expected seq:2143083293. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52119 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000162: Feb 19 16:16:19.918 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52140) -> 178.255.83.1(80), 1 packet 
000163: Feb 19 16:16:50.809 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.1(80) -> XXX.XXX.XXX.XXX(52140), 1 packet 
000164: Feb 19 16:17:52.413 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2006265571 1492 bytes is out-of-order; expected seq:2288668329. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52154 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000165: Feb 19 16:17:56.921 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2004720643 1492 bytes is out-of-order; expected seq:2290220517. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52154 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000166: Feb 19 16:19:44.297 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52180) -> 217.108.165.113(80), 1 packet 
000167: Feb 19 16:20:15.137 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(52180), 1 packet 
000168: Feb 19 16:20:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52111) -> 217.108.165.113(80), 3 packets 
000169: Feb 19 16:20:57.093 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1831317017 1492 bytes is out-of-order; expected seq:2463625595. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52191 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000170: Feb 19 16:20:59.737 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1830821885 1492 bytes is out-of-order; expected seq:2464120727. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52191 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000171: Feb 19 16:21:04.597 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1822397053 1492 bytes is out-of-order; expected seq:2472545559. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52190 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000172: Feb 19 16:22:17.181 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1753982559 1492 bytes is out-of-order; expected seq:2540960053. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52209 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000173: Feb 19 16:22:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 178.255.83.1(80) -> XXX.XXX.XXX.XXX(52141), 1 packet 
000174: Feb 19 16:22:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52141) -> 178.255.83.1(80), 4 packets 
000175: Feb 19 16:22:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52140) -> 178.255.83.1(80), 3 packets 
000176: Feb 19 16:22:19.241 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1753433703 1492 bytes is out-of-order; expected seq:2541508909. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52209 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000177: Feb 19 16:23:35.341 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1649062972 1492 bytes is out-of-order; expected seq:2645879640. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52224 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000178: Feb 19 16:23:38.353 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1653348061 1492 bytes is out-of-order; expected seq:2641594551. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52223 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000179: Feb 19 16:23:43.405 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1652601733 1492 bytes is out-of-order; expected seq:2642339427. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52223 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000180: Feb 19 16:23:45.273 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1652108053 1492 bytes is out-of-order; expected seq:2642834559. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52223 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000181: Feb 19 16:25:17.653 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52180) -> 217.108.165.113(80), 3 packets 
000182: Feb 19 16:25:17.701 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1547697866 1492 bytes is out-of-order; expected seq:2747243294. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52237 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000183: Feb 19 16:25:23.393 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1546717766 1492 bytes is out-of-order; expected seq:2748224846. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52237 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000184: Feb 19 16:25:27.365 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1546010642 1492 bytes is out-of-order; expected seq:2748931970. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52237 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000185: Feb 19 16:27:06.969 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52250) -> 193.99.144.85(80), 1 packet 
000186: Feb 19 16:27:37.561 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 193.99.144.85(80) -> XXX.XXX.XXX.XXX(52250), 1 packet 
000187: Feb 19 16:28:00.061 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52268) -> 194.117.143.85(80), 1 packet 
000188: Feb 19 16:28:21.077 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52272) -> 194.117.143.87(80), 1 packet 
000189: Feb 19 16:28:30.809 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 194.117.143.85(80) -> XXX.XXX.XXX.XXX(52268), 1 packet 
000190: Feb 19 16:28:51.801 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 194.117.143.87(80) -> XXX.XXX.XXX.XXX(52272), 1 packet 
000191: Feb 19 16:28:54.569 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52311) -> 194.117.143.85(80), 1 packet 
000192: Feb 19 16:29:15.589 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52318) -> 194.117.143.87(80), 1 packet 
000193: Feb 19 16:29:24.621 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 194.117.143.85(80) -> XXX.XXX.XXX.XXX(52311), 1 packet 
000194: Feb 19 16:29:46.129 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 194.117.143.87(80) -> XXX.XXX.XXX.XXX(52318), 1 packet 
000195: Feb 19 16:30:45.589 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1208966184 1492 bytes is out-of-order; expected seq:3085976428. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52392 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000196: Feb 19 16:30:51.461 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1200087051 1492 bytes is out-of-order; expected seq:3094855561. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52394 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000197: Feb 19 16:30:54.417 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1199035803 1492 bytes is out-of-order; expected seq:3095905357. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52394 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000198: Feb 19 16:30:55.929 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1198672803 1492 bytes is out-of-order; expected seq:3096268357. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:52394 to 208.71.173.248:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000199: Feb 19 16:32:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52250) -> 193.99.144.85(80), 3 packets 
000200: Feb 19 16:32:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52251) -> 193.99.144.85(80), 4 packets 
000201: Feb 19 16:32:29.465 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52406) -> 217.108.165.113(80), 1 packet 
000202: Feb 19 16:32:59.761 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 217.108.165.113(80) -> XXX.XXX.XXX.XXX(52406), 1 packet 
000203: Feb 19 16:33:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 193.99.144.85(80) -> XXX.XXX.XXX.XXX(52251), 1 packet 
000204: Feb 19 16:33:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52268) -> 194.117.143.85(80), 3 packets 
000205: Feb 19 16:33:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52269) -> 194.117.143.85(80), 4 packets 
000206: Feb 19 16:34:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52273) -> 194.117.143.87(80), 4 packets 
000207: Feb 19 16:34:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52311) -> 194.117.143.85(80), 3 packets 
000208: Feb 19 16:34:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52318) -> 194.117.143.87(80), 3 packets 
000209: Feb 19 16:34:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52272) -> 194.117.143.87(80), 3 packets 
000210: Feb 19 16:34:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 194.117.143.85(80) -> XXX.XXX.XXX.XXX(52269), 1 packet 
000211: Feb 19 16:34:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 194.117.143.87(80) -> XXX.XXX.XXX.XXX(52273), 1 packet 
000212: Feb 19 16:36:13.057 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 1 packet 
000213: Feb 19 16:38:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(52406) -> 217.108.165.113(80), 3 packets 
000214: Feb 19 16:41:17.649 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 2 packets 
000215: Feb 19 16:47:40.353 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33310), 1 packet 
000216: Feb 19 16:48:00.369 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33311), 1 packet 
000217: Feb 19 16:48:20.561 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33314), 1 packet 
000218: Feb 19 16:48:22.929 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33316), 1 packet 
000219: Feb 19 16:48:42.945 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33317), 1 packet 
000220: Feb 19 16:49:10.125 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33326), 1 packet 
000221: Feb 19 16:50:01.025 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33327), 1 packet 
000222: Feb 19 16:53:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33311), 4 packets 
000223: Feb 19 16:53:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33312), 7 packets 
000224: Feb 19 16:53:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33310), 6 packets 
000225: Feb 19 16:53:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33313), 7 packets 
000226: Feb 19 16:54:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33326), 6 packets 
000227: Feb 19 16:54:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33316), 6 packets 
000228: Feb 19 16:54:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33315), 5 packets 
000229: Feb 19 16:54:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33314), 4 packets 
000230: Feb 19 16:54:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.71.173.239(443) -> XXX.XXX.XXX.XXX(33317), 4 packets 
000231: Feb 19 16:55:28.373 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:355693858 576 bytes is out-of-order; expected seq:355684950. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:57531 to 208.71.173.239:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000232: Feb 19 16:55:39.817 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33076), 1 packet 
000233: Feb 19 16:55:59.921 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33079), 1 packet 
000234: Feb 19 16:56:19.325 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33084), 1 packet 
000235: Feb 19 16:56:56.457 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33095), 1 packet 
000236: Feb 19 16:57:16.397 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33096), 1 packet 
000237: Feb 19 17:01:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33079), 1 packet 
000238: Feb 19 17:01:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33076), 1 packet 
000239: Feb 19 17:02:11.481 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(58914) -> 93.184.216.119(80), 1 packet 
000240: Feb 19 17:02:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33096), 1 packet 
000241: Feb 19 17:02:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33084), 1 packet 
000242: Feb 19 17:02:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.107.143(443) -> XXX.XXX.XXX.XXX(33095), 1 packet 
000243: Feb 19 17:02:42.065 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(58914), 1 packet 
000244: Feb 19 17:07:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(58914) -> 93.184.216.119(80), 3 packets 
000245: Feb 19 18:21:15.829 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-479818433 576 bytes is out-of-order; expected seq:3815139955. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000246: Feb 19 18:21:36.053 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-477332577 576 bytes is out-of-order; expected seq:3817625287. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000247: Feb 19 18:22:16.077 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-471886121 576 bytes is out-of-order; expected seq:3823072267. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000248: Feb 19 18:22:26.045 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-470580837 576 bytes is out-of-order; expected seq:3824377027. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000249: Feb 19 18:22:46.081 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-468113845 576 bytes is out-of-order; expected seq:3826844543. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000250: Feb 19 18:22:56.081 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-466722101 576 bytes is out-of-order; expected seq:3828235763. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000251: Feb 19 18:23:06.137 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-465735933 576 bytes is out-of-order; expected seq:3829222455. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000252: Feb 19 18:23:16.193 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-464499293 576 bytes is out-of-order; expected seq:3830459095. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000253: Feb 19 18:23:26.105 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-463347541 576 bytes is out-of-order; expected seq:3831609275. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000254: Feb 19 18:23:26.561 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51221) -> 93.184.216.119(80), 1 packet 
000255: Feb 19 18:23:36.105 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-462084177 576 bytes is out-of-order; expected seq:3832874211. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000256: Feb 19 18:23:56.941 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(51221), 1 packet 
000257: Feb 19 18:24:17.593 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-455667797 576 bytes is out-of-order; expected seq:3839290591. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000258: Feb 19 18:24:26.109 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-454588357 576 bytes is out-of-order; expected seq:3840370031. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000259: Feb 19 18:24:46.149 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-451802773 576 bytes is out-of-order; expected seq:3843155091. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000260: Feb 19 18:24:56.137 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-450834945 576 bytes is out-of-order; expected seq:3844123443. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000261: Feb 19 18:25:06.189 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-449474117 576 bytes is out-of-order; expected seq:3845484271. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000262: Feb 19 18:25:16.157 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-448232237 576 bytes is out-of-order; expected seq:3846726151. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000263: Feb 19 18:25:26.161 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-446868789 576 bytes is out-of-order; expected seq:3848089075. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000264: Feb 19 18:25:38.385 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-445440889 576 bytes is out-of-order; expected seq:3849488155. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000265: Feb 19 18:25:45.369 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-444194293 576 bytes is out-of-order; expected seq:3850761475. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000266: Feb 19 18:25:52.337 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-443761469 576 bytes is out-of-order; expected seq:3851185391. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000267: Feb 19 18:25:56.269 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-443573877 576 bytes is out-of-order; expected seq:3851384511. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000268: Feb 19 18:26:12.025 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1892840027 576 bytes is out-of-order; expected seq:1892830595. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36424 to 96.6.210.70:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000269: Feb 19 18:26:16.277 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-441853061 576 bytes is out-of-order; expected seq:3853105327. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000270: Feb 19 18:26:20.337 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1894419363 576 bytes is out-of-order; expected seq:1894402595. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36424 to 96.6.210.70:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000271: Feb 19 18:26:26.209 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-440918769 576 bytes is out-of-order; expected seq:3854037523. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000272: Feb 19 18:26:36.221 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-439632349 576 bytes is out-of-order; expected seq:3855326039. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000273: Feb 19 18:26:53.429 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-436990341 576 bytes is out-of-order; expected seq:3857968047. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000274: Feb 19 18:26:56.273 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-436768689 576 bytes is out-of-order; expected seq:3858188651. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000275: Feb 19 18:27:06.269 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-435598073 576 bytes is out-of-order; expected seq:3859355599. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000276: Feb 19 18:27:26.241 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-433429761 576 bytes is out-of-order; expected seq:3861528627. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000277: Feb 19 18:27:36.285 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-432241329 576 bytes is out-of-order; expected seq:3862717059. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000278: Feb 19 18:27:46.213 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-431060233 576 bytes is out-of-order; expected seq:3863898155. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000279: Feb 19 18:27:56.357 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-429769097 576 bytes is out-of-order; expected seq:3865189291. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000280: Feb 19 18:28:16.217 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-426958885 576 bytes is out-of-order; expected seq:3867999503. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000281: Feb 19 18:28:26.257 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-425520505 576 bytes is out-of-order; expected seq:3869435787. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000282: Feb 19 18:28:29.225 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 199.212.0.48(80) -> XXX.XXX.XXX.XXX(2746), 1 packet 
000283: Feb 19 18:28:56.345 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-420833849 576 bytes is out-of-order; expected seq:3874124015. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000284: Feb 19 18:29:06.329 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-419915801 576 bytes is out-of-order; expected seq:3875042063. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37155 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000285: Feb 19 18:29:17.653 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(51221) -> 93.184.216.119(80), 3 packets 
000286: Feb 19 18:34:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 199.212.0.48(80) -> XXX.XXX.XXX.XXX(2746), 6 packets 
000287: Feb 19 18:35:54.881 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-653951224 576 bytes is out-of-order; expected seq:3641007164. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60607 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000288: Feb 19 18:35:56.681 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-653839612 576 bytes is out-of-order; expected seq:3641118776. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60607 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000289: Feb 19 18:36:06.529 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-652857112 576 bytes is out-of-order; expected seq:3642100752. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60607 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000290: Feb 19 18:36:16.597 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-651467988 576 bytes is out-of-order; expected seq:3643490400. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60607 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000291: Feb 19 18:36:26.561 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-650204624 576 bytes is out-of-order; expected seq:3644753240. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60607 to 155.98.64.87:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000292: Feb 19 18:40:36.417 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.27.193.231(80) -> XXX.XXX.XXX.XXX(33413), 1 packet 
000293: Feb 19 18:40:54.897 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2747), 1 packet 
000294: Feb 19 18:41:14.933 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2748), 1 packet 
000295: Feb 19 18:41:31.201 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33280), 1 packet 
000296: Feb 19 18:41:35.229 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2752), 1 packet 
000297: Feb 19 18:41:51.221 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33283), 1 packet 
000298: Feb 19 18:42:04.173 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33286), 1 packet 
000299: Feb 19 18:42:11.265 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33287), 1 packet 
000300: Feb 19 18:42:24.169 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33289), 1 packet 
000301: Feb 19 18:44:39.653 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 63.245.217.113(443) -> XXX.XXX.XXX.XXX(2753), 1 packet 
000302: Feb 19 18:45:17.649 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 4 packets
000303: Feb 19 18:46:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2749), 7 packets 
000304: Feb 19 18:46:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2750), 7 packets 
000305: Feb 19 18:46:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2747), 6 packets 
000306: Feb 19 18:46:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.27.193.231(80) -> XXX.XXX.XXX.XXX(33414), 6 packets 
000307: Feb 19 18:46:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2748), 4 packets 
000308: Feb 19 18:46:49.821 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.233(80) -> XXX.XXX.XXX.XXX(33323), 1 packet 
000309: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33284), 7 packets 
000310: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2752), 4 packets 
000311: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33280), 6 packets 
000312: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 97.74.215.143(80) -> XXX.XXX.XXX.XXX(2751), 5 packets 
000313: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33283), 4 packets 
000314: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33286), 6 packets 
000315: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33288), 5 packets 
000316: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33287), 4 packets 
000317: Feb 19 18:47:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33285), 7 packets 
000318: Feb 19 18:48:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.82.58.30(443) -> XXX.XXX.XXX.XXX(33289), 4 packets 
000319: Feb 19 18:50:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 63.245.217.113(443) -> XXX.XXX.XXX.XXX(2753), 17 packets 
000320: Feb 19 18:51:32.101 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(33061), 1 packet 
000321: Feb 19 18:52:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.233(80) -> XXX.XXX.XXX.XXX(33323), 22 packets 
000322: Feb 19 18:54:44.369 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(2754), 1 packet 
000323: Feb 19 18:57:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(33063), 18 packets 
000324: Feb 19 18:57:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(33065), 18 packets 
000325: Feb 19 18:57:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(33066), 18 packets 
000326: Feb 19 18:57:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(33064), 18 packets 
000327: Feb 19 18:57:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(33061), 17 packets 
000328: Feb 19 18:57:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(33062), 18 packets 
000329: Feb 19 19:00:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(2755), 5 packets 
000330: Feb 19 19:00:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(2754), 4 packets 
000331: Feb 19 19:00:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(2756), 5 packets 
000332: Feb 19 19:00:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(2758), 5 packets 
000333: Feb 19 19:00:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(2759), 5 packets 
000334: Feb 19 19:00:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 184.24.20.43(443) -> XXX.XXX.XXX.XXX(2757), 5 packets 
000335: Feb 19 19:12:35.277 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1576929813 576 bytes is out-of-order; expected seq:2718007091. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:34911 to 173.194.64.138:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000336: Feb 19 19:14:40.273 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1113066537 576 bytes is out-of-order; expected seq:3181891851. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:39964 to 64.212.100.40:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000337: Feb 19 19:14:40.909 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(57917) -> 93.184.216.119(80), 1 packet 
000338: Feb 19 19:15:04.317 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1120322620 576 bytes is out-of-order; expected seq:3174633672. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:39967 to 64.212.100.40:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000339: Feb 19 19:15:06.505 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(57929) -> 93.184.216.119(80), 1 packet 
000340: Feb 19 19:15:11.629 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(57935) -> 93.184.216.119(80), 1 packet 
000341: Feb 19 19:15:18.441 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(57937) -> 93.184.216.119(80), 1 packet 
000342: Feb 19 19:15:37.277 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(57929), 1 packet 
000343: Feb 19 19:15:42.401 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(57935), 1 packet 
000344: Feb 19 19:15:49.057 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(57937), 1 packet 
000345: Feb 19 19:16:13.225 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(57941), 1 packet 
000346: Feb 19 19:17:02.421 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1886945542 576 bytes is out-of-order; expected seq:2407997650. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:55002 to 192.150.16.64:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000347: Feb 19 19:19:01.153 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32990), 1 packet 
000348: Feb 19 19:19:11.773 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32995), 1 packet 
000349: Feb 19 19:19:15.053 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(58068) -> 93.184.216.119(80), 1 packet 
000350: Feb 19 19:19:17.649 PCTime: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 3 packets
000351: Feb 19 19:19:45.321 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(58068), 1 packet 
000352: Feb 19 19:20:17.661 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(57935) -> 93.184.216.119(80), 2 packets 
000353: Feb 19 19:20:17.661 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(57929) -> 93.184.216.119(80), 2 packets 
000354: Feb 19 19:20:24.029 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1846232464 576 bytes is out-of-order; expected seq:1846198404. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:50287 to 206.111.11.16:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000355: Feb 19 19:20:29.977 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1848020352 576 bytes is out-of-order; expected seq:1847987340. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:50287 to 206.111.11.16:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000356: Feb 19 19:21:07.713 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:912175669 576 bytes is out-of-order; expected seq:912137941. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:34883 to 208.117.239.88:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000357: Feb 19 19:21:15.829 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:914776281 576 bytes is out-of-order; expected seq:914732789. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:34883 to 208.117.239.88:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000358: Feb 19 19:21:17.661 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(57941), 2 packets 
000359: Feb 19 19:21:17.661 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(57941) -> 93.184.216.119(80), 9 packets 
000360: Feb 19 19:21:17.661 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(57937) -> 93.184.216.119(80), 4 packets 
000361: Feb 19 19:21:19.845 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:916035453 576 bytes is out-of-order; expected seq:916001917. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:34883 to 208.117.239.88:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000362: Feb 19 19:21:34.401 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:920631457 576 bytes is out-of-order; expected seq:920593729. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:34883 to 208.117.239.88:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000363: Feb 19 19:22:20.009 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:988968635 576 bytes is out-of-order; expected seq:988945055. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:45146 to 208.65.155.16:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000364: Feb 19 19:22:21.213 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.7(80) -> XXX.XXX.XXX.XXX(2760), 1 packet 
000365: Feb 19 19:22:31.689 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:991167339 576 bytes is out-of-order; expected seq:991131707. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:45146 to 208.65.155.16:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000366: Feb 19 19:23:21.029 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-118799106 576 bytes is out-of-order; expected seq:4176133082. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60148 to 74.125.213.148:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000367: Feb 19 19:23:22.793 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-118697974 576 bytes is out-of-order; expected seq:4176258318. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60148 to 74.125.213.148:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000368: Feb 19 19:23:29.713 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-117736958 576 bytes is out-of-order; expected seq:4177217238. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60148 to 74.125.213.148:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000369: Feb 19 19:23:34.657 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-116824150 576 bytes is out-of-order; expected seq:4178129522. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60148 to 74.125.213.148:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000370: Feb 19 19:23:43.161 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-114989626 576 bytes is out-of-order; expected seq:4179962998. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60148 to 74.125.213.148:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000371: Feb 19 19:23:52.941 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-112781490 576 bytes is out-of-order; expected seq:4182148078. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:60148 to 74.125.213.148:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000372: Feb 19 19:24:16.833 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.213.241(80) -> XXX.XXX.XXX.XXX(2761), 1 packet 
000373: Feb 19 19:24:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32989), 16 packets 
000374: Feb 19 19:24:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32990), 15 packets 
000375: Feb 19 19:24:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32991), 16 packets 
000376: Feb 19 19:24:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32994), 16 packets 
000377: Feb 19 19:24:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(58068) -> 93.184.216.119(80), 4 packets 
000378: Feb 19 19:24:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32993), 16 packets 
000379: Feb 19 19:24:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32995), 22 packets 
000380: Feb 19 19:24:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.6(80) -> XXX.XXX.XXX.XXX(32992), 9 packets 
000381: Feb 19 19:24:46.093 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.117.239.86(80) -> XXX.XXX.XXX.XXX(2762), 1 packet 
000382: Feb 19 19:25:28.509 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.167(80) -> XXX.XXX.XXX.XXX(2763), 1 packet 
000383: Feb 19 19:25:30.625 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.167(80) -> XXX.XXX.XXX.XXX(2764), 1 packet 
000384: Feb 19 19:25:32.989 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2025898071 576 bytes is out-of-order; expected seq:2269032545. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000385: Feb 19 19:25:36.949 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2024676627 576 bytes is out-of-order; expected seq:2270256085. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000386: Feb 19 19:25:41.649 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2023247155 576 bytes is out-of-order; expected seq:2271684509. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000387: Feb 19 19:25:45.017 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2022238455 576 bytes is out-of-order; expected seq:2272693733. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000388: Feb 19 19:25:48.033 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2021330887 576 bytes is out-of-order; expected seq:2273602873. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000389: Feb 19 19:25:53.129 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2019716967 576 bytes is out-of-order; expected seq:2275216793. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000390: Feb 19 19:26:09.569 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2014453695 576 bytes is out-of-order; expected seq:2280480589. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000391: Feb 19 19:26:11.837 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2013810747 576 bytes is out-of-order; expected seq:2281122489. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000392: Feb 19 19:26:19.653 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2011185507 576 bytes is out-of-order; expected seq:2283740917. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000393: Feb 19 19:26:22.721 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2010277939 576 bytes is out-of-order; expected seq:2284656345. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000394: Feb 19 19:26:23.877 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2010067291 576 bytes is out-of-order; expected seq:2284871185. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000395: Feb 19 19:26:31.537 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2007672611 576 bytes is out-of-order; expected seq:2287254861. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000396: Feb 19 19:26:32.781 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2007383887 576 bytes is out-of-order; expected seq:2287553541. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000397: Feb 19 19:26:40.909 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2004828339 576 bytes is out-of-order; expected seq:2290095989. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000398: Feb 19 19:26:50.273 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-2001820055 576 bytes is out-of-order; expected seq:2293114229. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000399: Feb 19 19:26:55.937 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1999914267 576 bytes is out-of-order; expected seq:2295015301. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000400: Feb 19 19:26:58.465 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1999138223 576 bytes is out-of-order; expected seq:2295791869. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000401: Feb 19 19:27:00.641 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1998563395 576 bytes is out-of-order; expected seq:2296371413. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000402: Feb 19 19:27:11.709 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1994932075 576 bytes is out-of-order; expected seq:2300000637. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000403: Feb 19 19:27:18.441 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1992718175 576 bytes is out-of-order; expected seq:2302211917. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000404: Feb 19 19:27:20.717 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1992095139 576 bytes is out-of-order; expected seq:2302842289. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000405: Feb 19 19:27:54.917 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1980772547 576 bytes is out-of-order; expected seq:2314151257. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:37522 to 208.117.239.160:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000406: Feb 19 19:28:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.7(80) -> XXX.XXX.XXX.XXX(2760), 22 packets 
000407: Feb 19 19:28:40.613 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.204(80) -> XXX.XXX.XXX.XXX(2765), 1 packet 
000408: Feb 19 19:29:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.213.241(80) -> XXX.XXX.XXX.XXX(2761), 8 packets 
000409: Feb 19 19:30:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 208.117.239.86(80) -> XXX.XXX.XXX.XXX(2762), 8 packets 
000410: Feb 19 19:31:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.167(80) -> XXX.XXX.XXX.XXX(2763), 22 packets 
000411: Feb 19 19:31:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.167(80) -> XXX.XXX.XXX.XXX(2764), 22 packets 
000412: Feb 19 19:34:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.204(80) -> XXX.XXX.XXX.XXX(2765), 22 packets 
000413: Feb 19 19:34:26.161 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.232(80) -> XXX.XXX.XXX.XXX(2766), 1 packet 
000414: Feb 19 19:34:29.325 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.232(80) -> XXX.XXX.XXX.XXX(2767), 1 packet 
000415: Feb 19 19:34:53.113 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.111.11.50(80) -> XXX.XXX.XXX.XXX(32998), 1 packet 
000416: Feb 19 19:35:01.829 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:533892625 576 bytes is out-of-order; expected seq:533880049. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000417: Feb 19 19:35:11.849 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:536597513 576 bytes is out-of-order; expected seq:536563453. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000418: Feb 19 19:35:16.021 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:537572153 576 bytes is out-of-order; expected seq:537532329. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000419: Feb 19 19:35:18.069 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:537846729 576 bytes is out-of-order; expected seq:537834153. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000420: Feb 19 19:35:23.937 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.8(80) -> XXX.XXX.XXX.XXX(32790), 1 packet 
000421: Feb 19 19:35:27.177 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:539985697 576 bytes is out-of-order; expected seq:539967881. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000422: Feb 19 19:35:33.521 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541488005 576 bytes is out-of-order; expected seq:541453421. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000423: Feb 19 19:35:33.701 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.8(80) -> XXX.XXX.XXX.XXX(32791), 1 packet 
000424: Feb 19 19:35:34.549 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541502677 576 bytes is out-of-order; expected seq:541462853. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000425: Feb 19 19:35:35.713 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541505821 576 bytes is out-of-order; expected seq:541464425. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000426: Feb 19 19:35:36.845 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541508965 576 bytes is out-of-order; expected seq:541465997. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000427: Feb 19 19:35:37.949 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541512109 576 bytes is out-of-order; expected seq:541467569. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000428: Feb 19 19:35:39.041 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541515253 576 bytes is out-of-order; expected seq:541469141. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000429: Feb 19 19:35:40.113 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541518397 576 bytes is out-of-order; expected seq:541470713. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000430: Feb 19 19:35:41.173 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541521541 576 bytes is out-of-order; expected seq:541472285. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000431: Feb 19 19:35:42.233 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541524685 576 bytes is out-of-order; expected seq:541473857. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000432: Feb 19 19:35:43.301 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541527829 576 bytes is out-of-order; expected seq:541475429. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000433: Feb 19 19:35:44.353 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541530973 576 bytes is out-of-order; expected seq:541477001. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000434: Feb 19 19:35:45.425 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:541534117 576 bytes is out-of-order; expected seq:541478573. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000435: Feb 19 19:35:52.953 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:542456881 576 bytes is out-of-order; expected seq:542439065. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000436: Feb 19 19:36:09.797 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:544209137 576 bytes is out-of-order; expected seq:544191321. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000437: Feb 19 19:36:16.813 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:545691533 576 bytes is out-of-order; expected seq:545677385. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000438: Feb 19 19:36:23.129 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:547051313 576 bytes is out-of-order; expected seq:547038737. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000439: Feb 19 19:36:24.297 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:547111573 576 bytes is out-of-order; expected seq:547101617. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000440: Feb 19 19:36:39.829 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:550256621 576 bytes is out-of-order; expected seq:550234089. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000441: Feb 19 19:36:41.817 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:550385525 576 bytes is out-of-order; expected seq:550376617. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000442: Feb 19 19:36:49.185 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:551723821 576 bytes is out-of-order; expected seq:551706529. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000443: Feb 19 19:36:55.285 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:553078361 576 bytes is out-of-order; expected seq:553064213. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000444: Feb 19 19:36:59.785 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:553949249 576 bytes is out-of-order; expected seq:553937721. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000445: Feb 19 19:37:03.581 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:554556565 576 bytes is out-of-order; expected seq:554543989. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000446: Feb 19 19:37:09.769 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:555846129 576 bytes is out-of-order; expected seq:555833553. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000447: Feb 19 19:37:12.237 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:556268997 576 bytes is out-of-order; expected seq:556259565. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000448: Feb 19 19:37:16.601 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:556999977 576 bytes is out-of-order; expected seq:556988973. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000449: Feb 19 19:37:24.705 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:558515909 576 bytes is out-of-order; expected seq:558498617. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000450: Feb 19 19:37:28.497 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:559274137 576 bytes is out-of-order; expected seq:559265229. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000451: Feb 19 19:37:42.349 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:562764501 576 bytes is out-of-order; expected seq:562747733. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000452: Feb 19 19:37:51.069 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:563822457 576 bytes is out-of-order; expected seq:563788921. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000453: Feb 19 19:37:53.013 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:564082361 576 bytes is out-of-order; expected seq:564069261. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000454: Feb 19 19:37:59.577 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:565440569 576 bytes is out-of-order; expected seq:565420133. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000455: Feb 19 19:38:02.721 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:565999153 576 bytes is out-of-order; expected seq:565985529. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000456: Feb 19 19:38:15.337 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:569087609 576 bytes is out-of-order; expected seq:569051977. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000457: Feb 19 19:38:17.877 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:569582265 576 bytes is out-of-order; expected seq:569541917. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000458: Feb 19 19:38:20.025 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:569930201 576 bytes is out-of-order; expected seq:569921293. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000459: Feb 19 19:38:32.477 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:572756133 576 bytes is out-of-order; expected seq:572744605. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000460: Feb 19 19:38:33.841 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:572783381 576 bytes is out-of-order; expected seq:572744605. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000461: Feb 19 19:38:35.037 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:572786525 576 bytes is out-of-order; expected seq:572745653. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000462: Feb 19 19:38:36.185 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:572789669 576 bytes is out-of-order; expected seq:572747225. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000463: Feb 19 19:39:10.221 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:576899401 576 bytes is out-of-order; expected seq:576880013. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000464: Feb 19 19:39:18.849 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:579080289 576 bytes is out-of-order; expected seq:579064569. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000465: Feb 19 19:39:21.633 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:579476957 576 bytes is out-of-order; expected seq:579448137. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000466: Feb 19 19:39:23.669 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:579799217 576 bytes is out-of-order; expected seq:579780877. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000467: Feb 19 19:39:40.241 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:584235925 576 bytes is out-of-order; expected seq:584221253. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000468: Feb 19 19:39:47.121 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:584759925 576 bytes is out-of-order; expected seq:584741585. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000469: Feb 19 19:39:54.529 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:585459465 576 bytes is out-of-order; expected seq:585448985. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000470: Feb 19 19:40:06.521 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:587416081 576 bytes is out-of-order; expected seq:587400361. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000471: Feb 19 19:40:11.381 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:587684369 576 bytes is out-of-order; expected seq:587666029. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000472: Feb 19 19:40:14.761 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:588288017 576 bytes is out-of-order; expected seq:588271249. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000473: Feb 19 19:40:17.277 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:588708789 576 bytes is out-of-order; expected seq:588699881. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000474: Feb 19 19:40:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.111.11.50(80) -> XXX.XXX.XXX.XXX(32997), 22 packets 
000475: Feb 19 19:40:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.232(80) -> XXX.XXX.XXX.XXX(2766), 7 packets 
000476: Feb 19 19:40:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 206.111.11.50(80) -> XXX.XXX.XXX.XXX(32998), 22 packets 
000477: Feb 19 19:40:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.232(80) -> XXX.XXX.XXX.XXX(2767), 6 packets 
000478: Feb 19 19:40:17.653 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.224.232(80) -> XXX.XXX.XXX.XXX(2768), 9 packets 
000479: Feb 19 19:40:28.005 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:591076745 576 bytes is out-of-order; expected seq:591065217. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000480: Feb 19 19:40:29.849 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:591220321 576 bytes is out-of-order; expected seq:591204601. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000481: Feb 19 19:40:38.745 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:593055893 576 bytes is out-of-order; expected seq:593013973. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000482: Feb 19 19:40:43.557 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:594286769 576 bytes is out-of-order; expected seq:594274193. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000483: Feb 19 19:40:47.033 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:594707541 576 bytes is out-of-order; expected seq:594677673. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000484: Feb 19 19:40:49.481 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:595140889 576 bytes is out-of-order; expected seq:595131981. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000485: Feb 19 19:40:59.021 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:597309725 576 bytes is out-of-order; expected seq:597299245. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000486: Feb 19 19:41:02.649 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:597842109 576 bytes is out-of-order; expected seq:597826389. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000487: Feb 19 19:41:07.285 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:598710901 576 bytes is out-of-order; expected seq:598692561. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000488: Feb 19 19:41:16.161 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:599918721 576 bytes is out-of-order; expected seq:599884137. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000489: Feb 19 19:41:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.8(80) -> XXX.XXX.XXX.XXX(32790), 22 packets 
000490: Feb 19 19:41:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.125.239.8(80) -> XXX.XXX.XXX.XXX(32791), 22 packets 
000491: Feb 19 19:41:27.849 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:601843373 576 bytes is out-of-order; expected seq:601825033. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000492: Feb 19 19:41:29.097 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:601951841 576 bytes is out-of-order; expected seq:601938217. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000493: Feb 19 19:41:44.117 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:604519441 576 bytes is out-of-order; expected seq:604506341. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000494: Feb 19 19:41:53.681 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:606706617 576 bytes is out-of-order; expected seq:606689325. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:36978 to 74.125.213.149:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000495: Feb 19 19:42:36.465 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.43.218.208(80) -> XXX.XXX.XXX.XXX(2769), 1 packet 
000496: Feb 19 19:42:39.561 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.43.218.208(80) -> XXX.XXX.XXX.XXX(2772), 1 packet 
000497: Feb 19 19:48:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.43.218.208(80) -> XXX.XXX.XXX.XXX(2773), 5 packets 
000498: Feb 19 19:48:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.43.218.208(80) -> XXX.XXX.XXX.XXX(2770), 5 packets 
000499: Feb 19 19:48:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.43.218.208(80) -> XXX.XXX.XXX.XXX(2769), 4 packets 
000500: Feb 19 19:48:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.43.218.208(80) -> XXX.XXX.XXX.XXX(2771), 5 packets 
000501: Feb 19 19:48:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 74.43.218.208(80) -> XXX.XXX.XXX.XXX(2772), 4 packets 
000502: Feb 19 20:09:33.849 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied udp XXX.XXX.XXX.XXX(2588) -> 74.43.218.208(137), 1 packet 
000503: Feb 19 20:09:38.461 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied udp XXX.XXX.XXX.XXX(2589) -> 74.43.218.209(137), 1 packet 
000504: Feb 19 20:15:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied udp XXX.XXX.XXX.XXX(2589) -> 74.43.218.209(137), 2 packets 
000505: Feb 19 20:15:17.649 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied udp XXX.XXX.XXX.XXX(2588) -> 74.43.218.208(137), 2 packets 
000506: Feb 19 20:37:05.632 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 1 packet 
000507: Feb 19 20:42:17.648 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 2 packets 
000508: Feb 19 21:35:01.564 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(49472) -> 93.184.216.119(80), 1 packet 
000509: Feb 19 21:35:02.484 PCTime: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1210136673 1492 bytes is out-of-order; expected seq:1210113441. Reason: TCP reassembly queue overflow - session XXX.XXX.XXX.XXX:49471 to 208.96.23.170:80 on zone-pair ccp-zp-in-out class ccp-protocol-http
000510: Feb 19 21:35:31.984 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(49472), 1 packet 
000511: Feb 19 21:40:17.648 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(49472) -> 93.184.216.119(80), 3 packets 
000512: Feb 19 21:40:17.648 PCTime: %SEC-6-IPACCESSLOGP: list 110 denied tcp XXX.XXX.XXX.XXX(49476) -> 93.184.216.119(80), 4 packets 
000513: Feb 19 21:41:17.648 PCTime: %SEC-6-IPACCESSLOGP: list 120 denied tcp 93.184.216.119(80) -> XXX.XXX.XXX.XXX(49476), 1 packet 
000514: Feb 20 00:38:17.647 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 3 packets 
000515: Feb 20 04:39:17.646 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 3 packets 
000516: Feb 20 07:33:17.646 PCTime: %SEC-6-IPACCESSLOGDP: list 120 denied icmp 202.176.209.3 -> XXX.XXX.XXX.XXX (11/0), 3 packets 

 



Posted by John Dodrill at 1/31/2012 8:30 PM
Categories: uncategorized
Tags: cisco IOS Cisco 861 861 hacking Netgear Cradlepoint router ISP firewall APNIC ARIN LacNIC RIPE IANA IP udp tcp icmp object-group access-list AfriNIC Multicast APIPA protocol protocols port ports type types DNS http https ftp ftps pop pop3 cPanel imap tls ssl echo trace route tracert free
Previous Post
Next Post

 

What did you think of this article?




Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Name (required)

 Email (will not be published) (required)

 Website

Your comment is 0 characters limited to 3000 characters.