From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 18:36:01 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F0F1229E; Tue, 8 Jan 2013 18:36:01 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ia0-f179.google.com (mail-ia0-f179.google.com [209.85.210.179]) by mx1.freebsd.org (Postfix) with ESMTP id 974812AB; Tue, 8 Jan 2013 18:36:01 +0000 (UTC) Received: by mail-ia0-f179.google.com with SMTP id o25so645043iad.24 for ; Tue, 08 Jan 2013 10:35:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=PTtyXYZXiTLv0MMOYEsvVVJdYImDrXg6pPu0dYCKjF4=; b=H4m7cquLH6pQ1LqS8/EaerBGNSwGAWCVv90plWpqHAcGqd3KPCzBX3ylmYHRVMKTY/ R4fv6E+tGrkjpjHKaoTDOvwolG7z7ixjwiMmruJrETKoPWJ0tjuhldNohgOmjds21oTZ rmHdo7UFafVFUt6mIW6FOlBpw0kNJ6w8mSIKBjA2G2eB95McVcAXDPvEfULDoesoCUNu Wve08xPPelp3aTx6OorimIOLkCiC4ggyEEJUc3P20RzG9pxiblpsj81Scz8h3cIlDFRR ZB5uiT2LfS4kVgy0POn/7Y40oL/1mF14OaMZ3eqBR1zzvCRbcDTyQ3mM/e8CnPM0HH76 5j5g== MIME-Version: 1.0 X-Received: by 10.50.156.196 with SMTP id wg4mr10145520igb.25.1357670155242; Tue, 08 Jan 2013 10:35:55 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 10:35:55 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 10:35:55 -0800 (PST) In-Reply-To: <50EC5105.8050007@freebsd.org> References: <50EC5105.8050007@freebsd.org> Date: Tue, 8 Jan 2013 20:35:55 +0200 Message-ID: Subject: Re: firewall rules for core router From: Sami Halabi To: Julian Elischer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 18:36:02 -0000 Thank you for your response. about fwd: w.x.y.z is a router.. do i still need something? will it forward the packet correctly? =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 19:02,= =D7=9E=D7=90=D7=AA "Julian Elischer" : > On 1/8/13 6:44 AM, Sami Halabi wrote: > >> Anh one? >> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 7 =D7=91=D7=99=D7=A0=D7=95 2013 18:= 09, =D7=9E=D7=90=D7=AA "Sami Halabi" : >> >> Hi, >>> i have a core router that i want to enable firewall on it. >>> is these enough for a start: >>> >>> ipfw add 100 allow all from any to any via lo0 >>> ipfw add 25000 allow all from me to any >>> ipfw add 25100 allow ip from "table(7)" to me dst-port 179 >>> #ipfw add 25150 allow ip from "table(7)" to me >>> ipfw add 25200 allow ip from "table(8)" to me dst-port 161 >>> #ipfw add 25250 allow ip from "table(8)" to me >>> ipfw add 25300 allow all from any to me dst-port 22 >>> ipfw add 25400 allow icmp from any to any >>> ipfw add 25500 deny all from any to me >>> ipfw add 230000 allow all from any to any >>> >>> while table-7 are my BGP peers, table-8 my NMS. >>> >>> do i need to open anything more? any routing protocol/forwarding plan >>> issues? >>> >> I see nothing wrong.. it'll do what you want it that's what you want :-) > > you trust yourself > and you allow ssh and BGP and NMS incoming > and icmp everywhere > but you won't be able to start outgoing ssh sessions because the return > packets will be coming back to ephemeral ports. > > several ways to get around htat , like using keep-state, or just blocking > INIT packets differently (see "established") > > >>> >>> another thing: >>> i plan to add the following rule >>> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any >>> >>> will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs >>> to >>> do anything else? >>> >> > w.x.y.z needs to know to accept those packets as they will still be aimed > at w.x.y.z. (dest addr) > if this machine is w.x.y.z then this command will achieve that. > otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if it's > freebsd) or to change the packet, > which will require you run it through natd. (or use a nat rule) > > > Thanks in advance, >>> >>> -- >>> Sami Halabi >>> Information Systems Engineer >>> NMS Projects Expert >>> FreeBSD SysAdmin Expert >>> >>> ______________________________**_________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@**freebsd.org= >> " >> >> >> >