it's here

• Previous message (by thread): it's here
• Next message (by thread): it's here
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 13, 2002 at 03:55:25PM +0000, Eric Brandwine wrote:

> Without control plane seperation (and it's not possible with Cisco,
> Juniper, or most other routers out there), management services are
> listening on the public network, and that makes this very scary,
> regardless of filtering policies, etc.

interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input RE;
                }
            }
        }
    }
}
firewall {
    filter RE {
        term BGP {
            from {
                protocol tcp;
                destination-port bgp;
            }
            then accept;
        }               
        term TCP-established {
            from {
                protocol tcp;
                tcp-established;
            }
            then accept;
        }
        /* insert other term's allowing routing protocol traffic etc. */
        term only-fxp0 {
            from {
                interface-group-except fxp0;
            }
            then discard;
        }
        /* allow ssh, snmp etc. traffin only on the mngt. lan */
        term allow-from-fxp0 {
            from {
                interface-group fxp0;
            }
            then accept;
        }
    }
}

/Jesper

-- 
Jesper Skriver, jesper(at)skriver(dot)dk  -  CCIE #5456
Work:    Network manager   @ AS3292 (Tele Danmark DataNetworks)
Private: FreeBSD committer @ AS2109 (A much smaller network ;-)

One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.

• Previous message (by thread): it's here
• Next message (by thread): it's here
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]