|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: it's here
On Wed, Feb 13, 2002 at 03:55:25PM +0000, Eric Brandwine wrote:
> Without control plane seperation (and it's not possible with Cisco,
> Juniper, or most other routers out there), management services are
> listening on the public network, and that makes this very scary,
> regardless of filtering policies, etc.
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input RE;
}
}
}
}
}
firewall {
filter RE {
term BGP {
from {
protocol tcp;
destination-port bgp;
}
then accept;
}
term TCP-established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
/* insert other term's allowing routing protocol traffic etc. */
term only-fxp0 {
from {
interface-group-except fxp0;
}
then discard;
}
/* allow ssh, snmp etc. traffin only on the mngt. lan */
term allow-from-fxp0 {
from {
interface-group fxp0;
}
then accept;
}
}
}
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Work: Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: FreeBSD committer @ AS2109 (A much smaller network ;-)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
|