From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 19:22:55 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 26279421; Tue, 8 Jan 2013 19:22:55 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ie0-f170.google.com (mail-ie0-f170.google.com [209.85.223.170]) by mx1.freebsd.org (Postfix) with ESMTP id CF1FF71B; Tue, 8 Jan 2013 19:22:54 +0000 (UTC) Received: by mail-ie0-f170.google.com with SMTP id k10so1021517iea.1 for ; Tue, 08 Jan 2013 11:22:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BV+7/vg5eHIPD4pfOKAru8Oc1KBqv4i43ZlXZW+dyt4=; b=GPKbNkc98CXuncCnGn8I4MnkhjMLalmwkdGs4aG96zfruzfCs2aY/M8PhCLV3iJAhe WWSvgS4wIaa2GvQtqogWzoSZYZKpNEJ+vF21WT2OSa7ZcxOBPjO0L1zaBcRgIu/iMXe6 NqPa1Ay+jsAFpJlHCGjZWhJJvCi4fKrD6t8O2ODafptjQ3Ki0LC5y0w4/EpkqmvJi6vm 0WTWMfaV1hdDNlvtx6eGfY9iqDgeVEkBIqIpXRNAUAoR03zCnRZ5DpbjDsZWgSBuiCyR yH83iP5kMxHF3oul3dRPcLPWzpPLTrpWsHtdoZLlf1PsKVN9zdrJWvc5jKilZ0jJunjl pInw== MIME-Version: 1.0 Received: by 10.50.222.226 with SMTP id qp2mr10302797igc.103.1357672974061; Tue, 08 Jan 2013 11:22:54 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 11:22:53 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 11:22:53 -0800 (PST) In-Reply-To: <50EC6F68.6080202@freebsd.org> References: <50EC5105.8050007@freebsd.org> <50EC6F68.6080202@freebsd.org> Date: Tue, 8 Jan 2013 21:22:53 +0200 Message-ID: Subject: Re: firewall rules for core router From: Sami Halabi To: Julian Elischer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 19:22:55 -0000 that exactly what i need, all address space in use is public Thank sgain, Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 21:11,= =D7=9E=D7=90=D7=AA "Julian Elischer" : > > On 1/8/13 10:35 AM, Sami Halabi wrote: >> >> Thank you for your response. >> about fwd: >> w.x.y.z is a router.. do i still need something? will it forward the packet correctly? > > > It will send them to where-ever it thinks they were originally sent to. > > >> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 19:= 02, =D7=9E=D7=90=D7=AA "Julian Elischer" : >>> >>> On 1/8/13 6:44 AM, Sami Halabi wrote: >>>> >>>> Anh one? >>>> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 7 =D7=91=D7=99=D7=A0=D7=95 2013 1= 8:09, =D7=9E=D7=90=D7=AA "Sami Halabi" : >>>> >>>>> Hi, >>>>> i have a core router that i want to enable firewall on it. >>>>> is these enough for a start: >>>>> >>>>> ipfw add 100 allow all from any to any via lo0 >>>>> ipfw add 25000 allow all from me to any >>>>> ipfw add 25100 allow ip from "table(7)" to me dst-port 179 >>>>> #ipfw add 25150 allow ip from "table(7)" to me >>>>> ipfw add 25200 allow ip from "table(8)" to me dst-port 161 >>>>> #ipfw add 25250 allow ip from "table(8)" to me >>>>> ipfw add 25300 allow all from any to me dst-port 22 >>>>> ipfw add 25400 allow icmp from any to any >>>>> ipfw add 25500 deny all from any to me >>>>> ipfw add 230000 allow all from any to any >>>>> >>>>> while table-7 are my BGP peers, table-8 my NMS. >>>>> >>>>> do i need to open anything more? any routing protocol/forwarding plan >>>>> issues? >>> >>> I see nothing wrong.. it'll do what you want it that's what you want :-= ) >>> >>> you trust yourself >>> and you allow ssh and BGP and NMS incoming >>> and icmp everywhere >>> but you won't be able to start outgoing ssh sessions because the return packets will be coming back to ephemeral ports. >>> >>> several ways to get around htat , like using keep-state, or just blocking INIT packets differently (see "established") >>> >>>>> >>>>> >>>>> another thing: >>>>> i plan to add the following rule >>>>> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any >>>>> >>>>> will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs to >>>>> do anything else? >>> >>> >>> w.x.y.z needs to know to accept those packets as they will still be aimed at w.x.y.z. (dest addr) >>> if this machine is w.x.y.z then this command will achieve that. >>> otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if it's freebsd) or to change the packet, >>> which will require you run it through natd. (or use a nat rule) >>> >>> >>>>> Thanks in advance, >>>>> >>>>> -- >>>>> Sami Halabi >>>>> Information Systems Engineer >>>>> NMS Projects Expert >>>>> FreeBSD SysAdmin Expert >>>>> >>>> _______________________________________________ >>>> freebsd-ipfw@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org= " >>>> >>>> >>> >