From owner-freebsd-ipfw@FreeBSD.ORG  Mon Jan  7 16:09:18 2013
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id AC11D549
 for <freebsd-ipfw@freebsd.org>; Mon,  7 Jan 2013 16:09:18 +0000 (UTC)
 (envelope-from sodynet1@gmail.com)
Received: from mail-ie0-f175.google.com (mail-ie0-f175.google.com
 [209.85.223.175]) by mx1.freebsd.org (Postfix) with ESMTP id 8694E31A
 for <freebsd-ipfw@freebsd.org>; Mon,  7 Jan 2013 16:09:18 +0000 (UTC)
Received: by mail-ie0-f175.google.com with SMTP id qd14so23402772ieb.20
 for <freebsd-ipfw@freebsd.org>; Mon, 07 Jan 2013 08:09:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:x-received:date:message-id:subject:from:to
 :content-type; bh=NpPczywoYt+AqnjcI5fFrGJS+lTVNeK0T++iDjt5Lvo=;
 b=s72ZRx3rQh9U3/Ijr4UHu+oRmiPohR5J9idN7I8x+US6WaSRRSqnnRRq5esoRuSmGg
 +59AT9RrzmV2J9qvNp7sjjI94aA71EoSF+utJZSLG1C0QUmtgw9v3daZZS58Idsew7Oh
 GHrsdeSSxH398R2vhI3bfDPLUdc7Ji5Xe4ukrnCGuLyxxMAcsrS4SA2wipbBfYFGBuH3
 wx9OibBYL4AD+JsU9niBC2VaQmqH/sBluGxP8npGfndBrKxNAj9KTDogPFmBWNSw/8eE
 ZR59TnDoC/yyJ0iYmRhCBIXFiDoyJreTzmTkgJBjlrunNndVVAmZaB+Lm7PHFKsUNj7A
 HJNg==
MIME-Version: 1.0
X-Received: by 10.50.156.196 with SMTP id wg4mr6127358igb.25.1357574951942;
 Mon, 07 Jan 2013 08:09:11 -0800 (PST)
Received: by 10.64.51.98 with HTTP; Mon, 7 Jan 2013 08:09:11 -0800 (PST)
Date: Mon, 7 Jan 2013 18:09:11 +0200
Message-ID: <CAEW+ogZZDJsqiayFUnjdY=CP_2TFGq0QFEux=+GkEb5bVLTjWQ@mail.gmail.com>
Subject: rules fore core router
From: Sami Halabi <sodynet1@gmail.com>
To: freebsd-ipfw <freebsd-ipfw@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2013 16:09:18 -0000

Hi,
i have a core router that i want to enable firewall on it.
is these enough for a start:

ipfw add 100 allow all from any to any via lo0
ipfw add 25000 allow all from me to any
ipfw add 25100 allow ip from "table(7)" to me dst-port 179
#ipfw add 25150 allow ip from "table(7)" to me
ipfw add 25200 allow ip from "table(8)" to me dst-port 161
#ipfw add 25250 allow ip from "table(8)" to me
ipfw add 25300 allow all from any to me dst-port 22
ipfw add 25400 allow icmp from any to any
ipfw add 25500 deny all from any to me
ipfw add 230000 allow all from any to any

while table-7 are my BGP peers, table-8 my NMS.

do i need to open anything more? any routing protocol/forwarding plan
issues?


another thing:
i plan to add the following rule
ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any

will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs to
do anything else?
Thanks in advance,

-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert