[45720] in North American Network Operators' Group
Re: it's here
daemon@ATHENA.MIT.EDU (Jesper Skriver)
Wed Feb 13 12:38:32 2002
Date: Wed, 13 Feb 2002 18:37:53 +0100
From: Jesper Skriver <jesper@skriver.dk>
To: Eric Brandwine <ericb@UU.NET>
Cc: Ron da Silva <ron@aol.net>, Sean Donelan <sean@donelan.com>,
Alex Rubenstein <alex@nac.net>, nanog@merit.edu
Message-ID: <20020213183753.A35055@skriver.dk>
Mail-Followup-To: Jesper Skriver <jesper@skriver.dk>,
Eric Brandwine <ericb@UU.NET>, Ron da Silva <ron@aol.net>,
Sean Donelan <sean@donelan.com>, Alex Rubenstein <alex@nac.net>,
nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <gu9bsetv0k2.fsf@rampart.argfrp.us.uu.net>; from ericb@UU.NET on Wed, Feb 13, 2002 at 03:55:25PM +0000
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Feb 13, 2002 at 03:55:25PM +0000, Eric Brandwine wrote:
> Without control plane seperation (and it's not possible with Cisco,
> Juniper, or most other routers out there), management services are
> listening on the public network, and that makes this very scary,
> regardless of filtering policies, etc.
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input RE;
}
}
}
}
}
firewall {
filter RE {
term BGP {
from {
protocol tcp;
destination-port bgp;
}
then accept;
}
term TCP-established {
from {
protocol tcp;
tcp-established;
}
then accept;
}
/* insert other term's allowing routing protocol traffic etc. */
term only-fxp0 {
from {
interface-group-except fxp0;
}
then discard;
}
/* allow ssh, snmp etc. traffin only on the mngt. lan */
term allow-from-fxp0 {
from {
interface-group fxp0;
}
then accept;
}
}
}
/Jesper
--
Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456
Work: Network manager @ AS3292 (Tele Danmark DataNetworks)
Private: FreeBSD committer @ AS2109 (A much smaller network ;-)
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.
