Hi there,
I’ve recently set up an RB1000 as a BGP border router. As it’s on the edge of a service provider network, I’m generally not interested in tracking connections on it, however I need to filter traffic destined to the router itself. It’s pretty easy to generate firewall rules for incoming traffic as well as outgoing traffic, but return traffic is somewhat more complex to handle. For instance, I could allow all outgoing traffic, but only allow specific incoming traffic, such as SSH from specific ip addresses, BGP from known peering addresses, etc, but if I did a DNS lookup, the reply would arrive on an unknown UDP port.
Right now, I’ve made a workaround, allowing specific TCP flags and such, but I do not consider this solution very elegant. How do you guys recommend doing this? Surely, I cannot be the only one who has had this challenge.