Date: Tue, 08 Jan 2013 09:01:57 -0800 From: Julian Elischer <julian@freebsd.org> To: Sami Halabi <sodynet1@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: firewall rules for core router Message-ID: <50EC5105.8050007@freebsd.org> In-Reply-To: <CAEW%2BogaCS9XuLOM9ZonnMkR-JyJckicY=xKX1y8drFKHn3UTbA@mail.gmail.com> References: <CAEW%2BogaCS9XuLOM9ZonnMkR-JyJckicY=xKX1y8drFKHn3UTbA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/8/13 6:44 AM, Sami Halabi wrote: > Anh one? > בתאריך 7 בינו 2013 18:09, מאת "Sami Halabi" <sodynet1@gmail.com>: > >> Hi, >> i have a core router that i want to enable firewall on it. >> is these enough for a start: >> >> ipfw add 100 allow all from any to any via lo0 >> ipfw add 25000 allow all from me to any >> ipfw add 25100 allow ip from "table(7)" to me dst-port 179 >> #ipfw add 25150 allow ip from "table(7)" to me >> ipfw add 25200 allow ip from "table(8)" to me dst-port 161 >> #ipfw add 25250 allow ip from "table(8)" to me >> ipfw add 25300 allow all from any to me dst-port 22 >> ipfw add 25400 allow icmp from any to any >> ipfw add 25500 deny all from any to me >> ipfw add 230000 allow all from any to any >> >> while table-7 are my BGP peers, table-8 my NMS. >> >> do i need to open anything more? any routing protocol/forwarding plan >> issues? I see nothing wrong.. it'll do what you want it that's what you want :-) you trust yourself and you allow ssh and BGP and NMS incoming and icmp everywhere but you won't be able to start outgoing ssh sessions because the return packets will be coming back to ephemeral ports. several ways to get around htat , like using keep-state, or just blocking INIT packets differently (see "established") >> >> >> another thing: >> i plan to add the following rule >> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any >> >> will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs to >> do anything else? w.x.y.z needs to know to accept those packets as they will still be aimed at w.x.y.z. (dest addr) if this machine is w.x.y.z then this command will achieve that. otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if it's freebsd) or to change the packet, which will require you run it through natd. (or use a nat rule) >> Thanks in advance, >> >> -- >> Sami Halabi >> Information Systems Engineer >> NMS Projects Expert >> FreeBSD SysAdmin Expert >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50EC5105.8050007>