Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OSPF

From: Eric Vyncke <evyncke () cisco com>
Date: Tue, 10 Aug 1999 11:57:30 +0200
Delayed reply due to vacations ;)

You cannot pass OSPF Hellos and LSA through a packet filter or
stateful inspection firewall: the reasons are:
- OSPF LSA and Hellos are multicast and most firewalls do not
  support multicast
- OSPF LSA and Hellos are sent with TTL=1 (meaning local net only)
  and all these firewalls will discard the packet due to 'time exceeded'

The only way to pass OSPF through a firewall is to use an OSPF proxy
(aka router ;-) ). But then, my personal feeling is that you open
too much to the outside.

Additional notes:
- you may want to use BGP (which uses TCP with TTL > 1) to pass routing
  information
- you may also authenticate OSPF packets with a MD5 hash

Hope this helps

-eric

At 14:54 22/07/1999 +1000, Andrew_Bernoth () advantra com au wrote:



I ran into this issue last year.  I finally decided that the firewall really is
acting as a router, i.e. it passes traffic from one network to another network.
Hence the multicast packet would not be passed from one side to the other if 
the
firewall was not participating in OSPF, much the same as if you did put a 
router
in the place of the firewall and did not enable OSPF.

Then we looked at why the firewall was there at all.  The customer insisted 
that
they needed OSPF.  They also insisted that they needed to filter traffic from
one "untrusted" part of the company into a "trusted" part of the same parent
company, and we could not convince the customer otherwise, we kept the firewall
there, and ran gated on it.

This of course applies to my experience with IBM Firewall V3.x, other vendors
may not be as willing to run such things as gated on their firewalls.  In this
instance I suggested we put in something along the lines of a Cisco router with
Access Lists configured.

As a footnote, I heard yesterday that this client has decided to remove the
firewall, which confirmed my suspicions that they didn't really need it, and
they should have been more trusting.






"Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> on 22/07/99 05:06:04 AM

Please respond to "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca>

To:   firewall-wizards () nfr net
cc:    (bcc: Andrew Bernoth/AdvInt/Advantra)
Subject:  OSPF






I am trying to configure a firewall to forward OSPF "hello" packets.  The
firewall is installed
between two OSPF-enabled routers and although it doesn't participate in
the OSPF itself,
it must forward the data from one router to the other.  The OSPF is sent
via multicast to the IP address 224.0.0.5.

Does any one have any insight into this problem.  Any advice on any
firewall product would be appreciated.

Thanks,

Brad MacQuarrie










Eric Vyncke                        
Consulting Engineer                Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-75-312.458
Previous By Date Next
Previous By Thread Next

Current thread: