On 1/8/13 10:35 AM, Sami Halabi wrote:
Thank you for your response.
about fwd:
w.x.y.z is a router.. do i still need something? will it forward the
packet correctly?
It will send them to where-ever it thinks they were originally sent to.
בתאריך 8 בינו 2013 19:02, מאת "Julian Elischer" <jul...@freebsd.org
<mailto:jul...@freebsd.org>>:
On 1/8/13 6:44 AM, Sami Halabi wrote:
Anh one?
בתאריך 7 בינו 2013 <tel:2013> 18:09, מאת "Sami Halabi"
<sodyn...@gmail.com <mailto:sodyn...@gmail.com>>:
Hi,
i have a core router that i want to enable firewall on it.
is these enough for a start:
ipfw add 100 allow all from any to any via lo0
ipfw add 25000 allow all from me to any
ipfw add 25100 allow ip from "table(7)" to me dst-port 179
#ipfw add 25150 allow ip from "table(7)" to me
ipfw add 25200 allow ip from "table(8)" to me dst-port 161
#ipfw add 25250 allow ip from "table(8)" to me
ipfw add 25300 allow all from any to me dst-port 22
ipfw add 25400 allow icmp from any to any
ipfw add 25500 deny all from any to me
ipfw add 230000 allow all from any to any
while table-7 are my BGP peers, table-8 my NMS.
do i need to open anything more? any routing
protocol/forwarding plan
issues?
I see nothing wrong.. it'll do what you want it that's what you
want :-)
you trust yourself
and you allow ssh and BGP and NMS incoming
and icmp everywhere
but you won't be able to start outgoing ssh sessions because the
return packets will be coming back to ephemeral ports.
several ways to get around htat , like using keep-state, or just
blocking INIT packets differently (see "established")
another thing:
i plan to add the following rule
ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any
will this work?, does my peer (ISP, with Cisco/Juniper
equipment) needs to
do anything else?
w.x.y.z needs to know to accept those packets as they will still
be aimed at w.x.y.z. (dest addr)
if this machine is w.x.y.z then this command will achieve that.
otherwise you will need to either have a 'fwd' rule on w.x.y.z.
(if it's freebsd) or to change the packet,
which will require you run it through natd. (or use a nat rule)
Thanks in advance,
--
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
_______________________________________________
freebsd-ipfw@freebsd.org <mailto:freebsd-ipfw@freebsd.org>
mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to
"freebsd-ipfw-unsubscr...@freebsd.org
<mailto:freebsd-ipfw-unsubscr...@freebsd.org>"
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"