that exactly what i need, all address space in use is public
Thank sgain, Sami בתאריך 8 בינו 2013 21:11, מאת "Julian Elischer" <[email protected]>: > > On 1/8/13 10:35 AM, Sami Halabi wrote: >> >> Thank you for your response. >> about fwd: >> w.x.y.z is a router.. do i still need something? will it forward the packet correctly? > > > It will send them to where-ever it thinks they were originally sent to. > > >> בתאריך 8 בינו 2013 19:02, מאת "Julian Elischer" <[email protected]>: >>> >>> On 1/8/13 6:44 AM, Sami Halabi wrote: >>>> >>>> Anh one? >>>> בתאריך 7 בינו 2013 18:09, מאת "Sami Halabi" <[email protected]>: >>>> >>>>> Hi, >>>>> i have a core router that i want to enable firewall on it. >>>>> is these enough for a start: >>>>> >>>>> ipfw add 100 allow all from any to any via lo0 >>>>> ipfw add 25000 allow all from me to any >>>>> ipfw add 25100 allow ip from "table(7)" to me dst-port 179 >>>>> #ipfw add 25150 allow ip from "table(7)" to me >>>>> ipfw add 25200 allow ip from "table(8)" to me dst-port 161 >>>>> #ipfw add 25250 allow ip from "table(8)" to me >>>>> ipfw add 25300 allow all from any to me dst-port 22 >>>>> ipfw add 25400 allow icmp from any to any >>>>> ipfw add 25500 deny all from any to me >>>>> ipfw add 230000 allow all from any to any >>>>> >>>>> while table-7 are my BGP peers, table-8 my NMS. >>>>> >>>>> do i need to open anything more? any routing protocol/forwarding plan >>>>> issues? >>> >>> I see nothing wrong.. it'll do what you want it that's what you want :-) >>> >>> you trust yourself >>> and you allow ssh and BGP and NMS incoming >>> and icmp everywhere >>> but you won't be able to start outgoing ssh sessions because the return packets will be coming back to ephemeral ports. >>> >>> several ways to get around htat , like using keep-state, or just blocking INIT packets differently (see "established") >>> >>>>> >>>>> >>>>> another thing: >>>>> i plan to add the following rule >>>>> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any >>>>> >>>>> will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs to >>>>> do anything else? >>> >>> >>> w.x.y.z needs to know to accept those packets as they will still be aimed at w.x.y.z. (dest addr) >>> if this machine is w.x.y.z then this command will achieve that. >>> otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if it's freebsd) or to change the packet, >>> which will require you run it through natd. (or use a nat rule) >>> >>> >>>>> Thanks in advance, >>>>> >>>>> -- >>>>> Sami Halabi >>>>> Information Systems Engineer >>>>> NMS Projects Expert >>>>> FreeBSD SysAdmin Expert >>>>> >>>> _______________________________________________ >>>> [email protected] mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>> To unsubscribe, send any mail to "[email protected]" >>>> >>>> >>> > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
