firewall rules for core router

Julian Elischer julian at freebsd.org
Tue Jan 8 19:11:47 UTC 2013 

On 1/8/13 10:35 AM, Sami Halabi wrote:
>
> Thank you for your response.
> about fwd:
> w.x.y.z is a router.. do i still need something? will it forward the 
> packet correctly?
>

It will send them to where-ever it thinks they were originally sent to.

> בתאריך 8 בינו 2013 19:02, מאת "Julian Elischer" <julian at freebsd.org 
> <mailto:julian at freebsd.org>>:
>
>     On 1/8/13 6:44 AM, Sami Halabi wrote:
>
>         Anh one?
>         בתאריך 7 בינו 2013 <tel:2013> 18:09, מאת "Sami Halabi"
>         <sodynet1 at gmail.com <mailto:sodynet1 at gmail.com>>:
>
>             Hi,
>             i have a core router that i want to enable firewall on it.
>             is these enough for a start:
>
>             ipfw add 100 allow all from any to any via lo0
>             ipfw add 25000 allow all from me to any
>             ipfw add 25100 allow ip from "table(7)" to me dst-port 179
>             #ipfw add 25150 allow ip from "table(7)" to me
>             ipfw add 25200 allow ip from "table(8)" to me dst-port 161
>             #ipfw add 25250 allow ip from "table(8)" to me
>             ipfw add 25300 allow all from any to me dst-port 22
>             ipfw add 25400 allow icmp from any to any
>             ipfw add 25500 deny all from any to me
>             ipfw add 230000 allow all from any to any
>
>             while table-7 are my BGP peers, table-8 my NMS.
>
>             do i need to open anything more? any routing
>             protocol/forwarding plan
>             issues?
>
>     I see nothing wrong.. it'll do what you want it that's what you
>     want :-)
>
>     you trust yourself
>     and you allow ssh and BGP and NMS incoming
>     and icmp everywhere
>     but you won't be able to start outgoing ssh sessions because the
>     return packets will be coming back to ephemeral ports.
>
>     several ways to get around htat , like using keep-state, or just
>     blocking INIT packets differently (see "established")
>
>
>
>             another thing:
>             i plan to add the following rule
>             ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any
>
>             will this work?, does my peer (ISP, with Cisco/Juniper
>             equipment) needs to
>             do anything else?
>
>
>     w.x.y.z needs to know to accept those packets as they will still
>     be aimed at w.x.y.z. (dest addr)
>     if this machine is w.x.y.z then this command will achieve that.
>     otherwise you will need to either have a 'fwd' rule on w.x.y.z.
>     (if it's freebsd) or to change the packet,
>     which will require you run it through natd. (or use a nat rule)
>
>
>             Thanks in advance,
>
>             --
>             Sami Halabi
>             Information Systems Engineer
>             NMS Projects Expert
>             FreeBSD SysAdmin Expert
>
>         _______________________________________________
>         freebsd-ipfw at freebsd.org <mailto:freebsd-ipfw at freebsd.org>
>         mailing list
>         http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>         To unsubscribe, send any mail to
>         "freebsd-ipfw-unsubscribe at freebsd.org
>         <mailto:freebsd-ipfw-unsubscribe at freebsd.org>"
>
>
>

More information about the freebsd-ipfw mailing list