North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: it's here
On Wed, Feb 13, 2002 at 03:55:25PM +0000, Eric Brandwine wrote: > Without control plane seperation (and it's not possible with Cisco, > Juniper, or most other routers out there), management services are > listening on the public network, and that makes this very scary, > regardless of filtering policies, etc. interfaces { lo0 { unit 0 { family inet { filter { input RE; } } } } } firewall { filter RE { term BGP { from { protocol tcp; destination-port bgp; } then accept; } term TCP-established { from { protocol tcp; tcp-established; } then accept; } /* insert other term's allowing routing protocol traffic etc. */ term only-fxp0 { from { interface-group-except fxp0; } then discard; } /* allow ssh, snmp etc. traffin only on the mngt. lan */ term allow-from-fxp0 { from { interface-group fxp0; } then accept; } } } /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: FreeBSD committer @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them.
|