[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OSPF



Hello,
I realize that you can't acctually pass ospf through a firewall because ospf
hello packets are sent with a TTL=1; however, you should be able to pass
them *TO* a firewall, right?
I have an OpenBSD pf machine running quagga with ospf enabled.  When I turn
my packet filter on, this machine looses its routing table.  My question is,
how can I set pf up to support ospf connections to and from its own IP
address?
Will "pass in quick on $if proto ospf all" and "pass out quick on $if proto
ospf all" work for unicast packets? (IE does pf's parsing of /etc/protocols
acctually work?)
Here's my current pf.conf:
if = "fxp0"
scrub in on $if all
# Default Deny
#pass out all
#pass in all
block out log all
block in log all
# Allow all for lo0
pass in log quick on lo0 all
pass out log quick on lo0 all
# Allow OSPF packets to pass
pass in quick on $if proto ospf all
pass out quick on $if proto ospf all
pass in quick on $if from 224.0.0.0/4 to any
pass out quick on $if from 224.0.0.0/4 to any
# DSL Fix
pass out log on $if route-to ($if 10.64.14.64) from 146.82.194.224/27 to any
keep state
# For ping/traceroute
pass out log on $if inet proto icmp all icmp-type 8 code 0 keep state
pass  in log on $if inet proto icmp all icmp-type 8 code 0 keep state
# Firewall
pass out log on $if proto tcp from 10.64.14.40 to any flags S/SA modulate
state
pass out log on $if proto udp from 10.64.14.40 to any keep state
pass in on $if proto tcp from 10.64.14.0/24 to 10.64.14.40 port 22 flags
S/SA modulate state
# Internal net
pass out log on $if proto tcp from 10.64.14.0/24 to any flags S/SA modulate
state
pass out log on $if proto udp from 10.64.14.0/24 to any keep state
# WAN
#pass in log on $if proto tcp from 10.64.0.0/16 to any flags S/SA modulate
state
#pass in log on $if proto udp from 10.64.0.0/16 to any keep state
pass in log on $if proto tcp from 192.168.200.0/24 to 10.64.14.0/24 flags
S/SA modulate state
pass in log on $if proto udp from 192.168.200.0/24 to 10.64.14.0/24 keep
state
# Internet
pass out log on $if proto tcp from 146.82.194.224/27 to any flags S/SA
modulate state
pass out log on $if proto udp from 146.82.194.224/27 to any keep state
pass in log on $if proto udp from any to 146.82.194.224/27 port 53 keep
state
pass in log on $if proto tcp from any to 146.82.194.224/27 port 53 flags
S/SA modulate state
pass in log on $if proto tcp from any to 146.82.194.224/27 port 80 flags
S/SA modulate state
pass in log on $if proto tcp from any to 146.82.194.224/27 port 22 flags
S/SA modulate state
pass in log on $if proto tcp from any to 146.82.194.224/27 port 21 flags
S/SA modulate state
pass in log on $if proto tcp from any to 146.82.194.224/27 port 20 flags
S/SA modulate state
pass in log on $if proto tcp from any to 146.82.194.224/27 port 25 flags
S/SA modulate state
pass in log on $if proto tcp from any to 146.82.194.224/27 port 110 flags
S/SA modulate state
pass in log on $if proto tcp from any to 146.82.194.224/27 port 443 flags
S/SA modulate state
--
Daniel Corbe, CCNA		tel +1 954-921-2400 x104
Senior Network Engineer		[email protected]
Results Technologies		http://www.resultstel.com
Dania Beach, FL