From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 14:45:02 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 62118C51; Tue, 8 Jan 2013 14:45:02 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) by mx1.freebsd.org (Postfix) with ESMTP id 2F9CE686; Tue, 8 Jan 2013 14:45:02 +0000 (UTC) Received: by mail-ie0-f180.google.com with SMTP id c10so554502ieb.25 for ; Tue, 08 Jan 2013 06:44:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=2mE4DGCuWJd5YLeI5VG6lmZKM0mm6grd5LcQmBfj+Gw=; b=OasCVaHoGTk8DMD6NWkOoy17vqIO86jP3tIUoDvOt7ikvoL6AxaH1uzsUW07f4uRPb aQDlf+t8WW+Yn+2KbYOkEXRgMNJIg1hcrQg1YZLfYwqFYlvbgF3pJ4HowygZd3Fuh8aQ GH+AoRXzzlJIBmO1EqAVdIqxtYz1/3rQEZuqc/C/QPMrVIBPDJ4T8C2PncgfGtqduEQ2 AqWZk7192cTe/cGDB0Z0LWQS4I/xXSqQ0MbrRBDmMqdmCCHxt4Bm7qtVynuHqQgLz/h2 tNPpow91ELBBSvfsf/CGbPOx9XTEI4tVf5y4qDofpzs37qSHEJY1IXu324pDZff56fYX D0zA== MIME-Version: 1.0 Received: by 10.50.222.226 with SMTP id qp2mr9328671igc.103.1357656295255; Tue, 08 Jan 2013 06:44:55 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 06:44:55 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 06:44:55 -0800 (PST) Date: Tue, 8 Jan 2013 16:44:55 +0200 Message-ID: Subject: firewall rules for core router From: Sami Halabi To: freebsd-ipfw , freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 14:45:02 -0000 Anh one? =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 7 =D7=91=D7=99=D7=A0=D7=95 2013 18:09,= =D7=9E=D7=90=D7=AA "Sami Halabi" : > Hi, > i have a core router that i want to enable firewall on it. > is these enough for a start: > > ipfw add 100 allow all from any to any via lo0 > ipfw add 25000 allow all from me to any > ipfw add 25100 allow ip from "table(7)" to me dst-port 179 > #ipfw add 25150 allow ip from "table(7)" to me > ipfw add 25200 allow ip from "table(8)" to me dst-port 161 > #ipfw add 25250 allow ip from "table(8)" to me > ipfw add 25300 allow all from any to me dst-port 22 > ipfw add 25400 allow icmp from any to any > ipfw add 25500 deny all from any to me > ipfw add 230000 allow all from any to any > > while table-7 are my BGP peers, table-8 my NMS. > > do i need to open anything more? any routing protocol/forwarding plan > issues? > > > another thing: > i plan to add the following rule > ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any > > will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs t= o > do anything else? > Thanks in advance, > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert >