Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 Jan 2013 20:35:55 +0200
From:      Sami Halabi <sodynet1@gmail.com>
To:        Julian Elischer <julian@freebsd.org>
Cc:        freebsd-ipfw <freebsd-ipfw@freebsd.org>
Subject:   Re: firewall rules for core router
Message-ID:  <CAEW+ogZbouk8mXghMwbBncb8B6QTietowzPPkF8uEUbWo40n4w@mail.gmail.com>
In-Reply-To: <50EC5105.8050007@freebsd.org>
References:  <CAEW+ogaCS9XuLOM9ZonnMkR-JyJckicY=xKX1y8drFKHn3UTbA@mail.gmail.com> <50EC5105.8050007@freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Thank you for your response.
about fwd:
w.x.y.z is a router.. do i still need something? will it forward the packet
correctly?
=D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 19:02,=
 =D7=9E=D7=90=D7=AA "Julian Elischer" <julian@freebsd.org>:

> On 1/8/13 6:44 AM, Sami Halabi wrote:
>
>> Anh one?
>> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 7 =D7=91=D7=99=D7=A0=D7=95 2013 18:=
09, =D7=9E=D7=90=D7=AA "Sami Halabi" <sodynet1@gmail.com>:
>>
>>  Hi,
>>> i have a core router that i want to enable firewall on it.
>>> is these enough for a start:
>>>
>>> ipfw add 100 allow all from any to any via lo0
>>> ipfw add 25000 allow all from me to any
>>> ipfw add 25100 allow ip from "table(7)" to me dst-port 179
>>> #ipfw add 25150 allow ip from "table(7)" to me
>>> ipfw add 25200 allow ip from "table(8)" to me dst-port 161
>>> #ipfw add 25250 allow ip from "table(8)" to me
>>> ipfw add 25300 allow all from any to me dst-port 22
>>> ipfw add 25400 allow icmp from any to any
>>> ipfw add 25500 deny all from any to me
>>> ipfw add 230000 allow all from any to any
>>>
>>> while table-7 are my BGP peers, table-8 my NMS.
>>>
>>> do i need to open anything more? any routing protocol/forwarding plan
>>> issues?
>>>
>> I see nothing wrong.. it'll do what you want it that's what you want :-)
>
> you trust yourself
> and you allow ssh and BGP and NMS incoming
> and icmp everywhere
> but you won't be able to start outgoing ssh sessions because the return
> packets will be coming back to ephemeral ports.
>
> several ways to get around htat , like using keep-state, or just blocking
> INIT packets differently (see "established")
>
>
>>>
>>> another thing:
>>> i plan to add the following rule
>>> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any
>>>
>>> will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs
>>> to
>>> do anything else?
>>>
>>
> w.x.y.z needs to know to accept those packets as they will still be aimed
> at w.x.y.z. (dest addr)
> if this machine is w.x.y.z then this command will achieve that.
> otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if it's
> freebsd) or to change the packet,
> which will require you run it through natd. (or use a nat rule)
>
>
>  Thanks in advance,
>>>
>>> --
>>> Sami Halabi
>>> Information Systems Engineer
>>> NMS Projects Expert
>>> FreeBSD SysAdmin Expert
>>>
>>>  ______________________________**_________________
>> freebsd-ipfw@freebsd.org mailing list
>> http://lists.freebsd.org/**mailman/listinfo/freebsd-ipfw<http://lists.fr=
eebsd.org/mailman/listinfo/freebsd-ipfw>
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@**freebsd.org=
<freebsd-ipfw-unsubscribe@freebsd.org>
>> "
>>
>>
>>
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAEW+ogZbouk8mXghMwbBncb8B6QTietowzPPkF8uEUbWo40n4w>