nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: it's here

From: Jesper Skriver <jesper () skriver dk>
Date: Wed, 13 Feb 2002 18:37:53 +0100

On Wed, Feb 13, 2002 at 03:55:25PM +0000, Eric Brandwine wrote:


Without control plane seperation (and it's not possible with Cisco,
Juniper, or most other routers out there), management services are
listening on the public network, and that makes this very scary,
regardless of filtering policies, etc.


interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input RE;
                }
            }
        }
    }
}
firewall {
    filter RE {
        term BGP {
            from {
                protocol tcp;
                destination-port bgp;
            }
            then accept;
        }               
        term TCP-established {
            from {
                protocol tcp;
                tcp-established;
            }
            then accept;
        }
        /* insert other term's allowing routing protocol traffic etc. */
        term only-fxp0 {
            from {
                interface-group-except fxp0;
            }
            then discard;
        }
        /* allow ssh, snmp etc. traffin only on the mngt. lan */
        term allow-from-fxp0 {
            from {
                interface-group fxp0;
            }
            then accept;
        }
    }
}

/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Work:    Network manager   @ AS3292 (Tele Danmark DataNetworks)
Private: FreeBSD committer @ AS2109 (A much smaller network ;-)

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
Previous By Date Next
Previous By Thread Next

Current thread: