Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 Jan 2013 21:22:53 +0200
From:      Sami Halabi <sodynet1@gmail.com>
To:        Julian Elischer <julian@freebsd.org>
Cc:        freebsd-ipfw <freebsd-ipfw@freebsd.org>
Subject:   Re: firewall rules for core router
Message-ID:  <CAEW+ogbNoDp_jsaGmTYo4e1cEffenOzpTqpO8pXKcLLKN1VngQ@mail.gmail.com>
In-Reply-To: <50EC6F68.6080202@freebsd.org>
References:  <CAEW+ogaCS9XuLOM9ZonnMkR-JyJckicY=xKX1y8drFKHn3UTbA@mail.gmail.com> <50EC5105.8050007@freebsd.org> <CAEW+ogZbouk8mXghMwbBncb8B6QTietowzPPkF8uEUbWo40n4w@mail.gmail.com> <50EC6F68.6080202@freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
that exactly what i need, all address space in use is public

Thank sgain,
Sami
=D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 21:11,=
 =D7=9E=D7=90=D7=AA "Julian Elischer" <julian@freebsd.org>:
>
> On 1/8/13 10:35 AM, Sami Halabi wrote:
>>
>> Thank you for your response.
>> about fwd:
>> w.x.y.z is a router.. do i still need something? will it forward the
packet correctly?
>
>
> It will send them to where-ever it thinks they were originally sent to.
>
>
>> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 19:=
02, =D7=9E=D7=90=D7=AA "Julian Elischer" <julian@freebsd.org>:
>>>
>>> On 1/8/13 6:44 AM, Sami Halabi wrote:
>>>>
>>>> Anh one?
>>>> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 7 =D7=91=D7=99=D7=A0=D7=95 2013 1=
8:09, =D7=9E=D7=90=D7=AA "Sami Halabi" <sodynet1@gmail.com>:
>>>>
>>>>> Hi,
>>>>> i have a core router that i want to enable firewall on it.
>>>>> is these enough for a start:
>>>>>
>>>>> ipfw add 100 allow all from any to any via lo0
>>>>> ipfw add 25000 allow all from me to any
>>>>> ipfw add 25100 allow ip from "table(7)" to me dst-port 179
>>>>> #ipfw add 25150 allow ip from "table(7)" to me
>>>>> ipfw add 25200 allow ip from "table(8)" to me dst-port 161
>>>>> #ipfw add 25250 allow ip from "table(8)" to me
>>>>> ipfw add 25300 allow all from any to me dst-port 22
>>>>> ipfw add 25400 allow icmp from any to any
>>>>> ipfw add 25500 deny all from any to me
>>>>> ipfw add 230000 allow all from any to any
>>>>>
>>>>> while table-7 are my BGP peers, table-8 my NMS.
>>>>>
>>>>> do i need to open anything more? any routing protocol/forwarding plan
>>>>> issues?
>>>
>>> I see nothing wrong.. it'll do what you want it that's what you want :-=
)
>>>
>>> you trust yourself
>>> and you allow ssh and BGP and NMS incoming
>>> and icmp everywhere
>>> but you won't be able to start outgoing ssh sessions because the return
packets will be coming back to ephemeral ports.
>>>
>>> several ways to get around htat , like using keep-state, or just
blocking INIT packets differently (see "established")
>>>
>>>>>
>>>>>
>>>>> another thing:
>>>>> i plan to add the following rule
>>>>> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any
>>>>>
>>>>> will this work?, does my peer (ISP, with Cisco/Juniper equipment)
needs to
>>>>> do anything else?
>>>
>>>
>>> w.x.y.z needs to know to accept those packets as they will still be
aimed at w.x.y.z. (dest addr)
>>> if this machine is w.x.y.z then this command will achieve that.
>>> otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if
it's freebsd) or to change the packet,
>>> which will require you run it through natd. (or use a nat rule)
>>>
>>>
>>>>> Thanks in advance,
>>>>>
>>>>> --
>>>>> Sami Halabi
>>>>> Information Systems Engineer
>>>>> NMS Projects Expert
>>>>> FreeBSD SysAdmin Expert
>>>>>
>>>> _______________________________________________
>>>> freebsd-ipfw@freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org=
"
>>>>
>>>>
>>>
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAEW+ogbNoDp_jsaGmTYo4e1cEffenOzpTqpO8pXKcLLKN1VngQ>