From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 19:11:47 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 1B118F51 for ; Tue, 8 Jan 2013 19:11:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id CC5166A8 for ; Tue, 8 Jan 2013 19:11:46 +0000 (UTC) Received: from JRE-MBP-2.local (c-50-143-148-105.hsd1.ca.comcast.net [50.143.148.105]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r08JBfVg074902 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 8 Jan 2013 11:11:42 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <50EC6F68.6080202@freebsd.org> Date: Tue, 08 Jan 2013 11:11:36 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Sami Halabi Subject: Re: firewall rules for core router References: <50EC5105.8050007@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 19:11:47 -0000 On 1/8/13 10:35 AM, Sami Halabi wrote: > > Thank you for your response. > about fwd: > w.x.y.z is a router.. do i still need something? will it forward the > packet correctly? > It will send them to where-ever it thinks they were originally sent to. > בתאריך 8 בינו 2013 19:02, מאת "Julian Elischer" >: > > On 1/8/13 6:44 AM, Sami Halabi wrote: > > Anh one? > בתאריך 7 בינו 2013 18:09, מאת "Sami Halabi" > >: > > Hi, > i have a core router that i want to enable firewall on it. > is these enough for a start: > > ipfw add 100 allow all from any to any via lo0 > ipfw add 25000 allow all from me to any > ipfw add 25100 allow ip from "table(7)" to me dst-port 179 > #ipfw add 25150 allow ip from "table(7)" to me > ipfw add 25200 allow ip from "table(8)" to me dst-port 161 > #ipfw add 25250 allow ip from "table(8)" to me > ipfw add 25300 allow all from any to me dst-port 22 > ipfw add 25400 allow icmp from any to any > ipfw add 25500 deny all from any to me > ipfw add 230000 allow all from any to any > > while table-7 are my BGP peers, table-8 my NMS. > > do i need to open anything more? any routing > protocol/forwarding plan > issues? > > I see nothing wrong.. it'll do what you want it that's what you > want :-) > > you trust yourself > and you allow ssh and BGP and NMS incoming > and icmp everywhere > but you won't be able to start outgoing ssh sessions because the > return packets will be coming back to ephemeral ports. > > several ways to get around htat , like using keep-state, or just > blocking INIT packets differently (see "established") > > > > another thing: > i plan to add the following rule > ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any > > will this work?, does my peer (ISP, with Cisco/Juniper > equipment) needs to > do anything else? > > > w.x.y.z needs to know to accept those packets as they will still > be aimed at w.x.y.z. (dest addr) > if this machine is w.x.y.z then this command will achieve that. > otherwise you will need to either have a 'fwd' rule on w.x.y.z. > (if it's freebsd) or to change the packet, > which will require you run it through natd. (or use a nat rule) > > > Thanks in advance, > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > > _______________________________________________ > freebsd-ipfw@freebsd.org > mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org > " > > >