Firewall Wizards mailing list archives
Re: OSPF
From: Eric Vyncke <evyncke () cisco com>
Date: Tue, 10 Aug 1999 11:57:30 +0200
Delayed reply due to vacations ;) You cannot pass OSPF Hellos and LSA through a packet filter or stateful inspection firewall: the reasons are: - OSPF LSA and Hellos are multicast and most firewalls do not support multicast - OSPF LSA and Hellos are sent with TTL=1 (meaning local net only) and all these firewalls will discard the packet due to 'time exceeded' The only way to pass OSPF through a firewall is to use an OSPF proxy (aka router ;-) ). But then, my personal feeling is that you open too much to the outside. Additional notes: - you may want to use BGP (which uses TCP with TTL > 1) to pass routing information - you may also authenticate OSPF packets with a MD5 hash Hope this helps -eric At 14:54 22/07/1999 +1000, Andrew_Bernoth () advantra com au wrote:
I ran into this issue last year. I finally decided that the firewall really is acting as a router, i.e. it passes traffic from one network to another network. Hence the multicast packet would not be passed from one side to the other if the firewall was not participating in OSPF, much the same as if you did put a router in the place of the firewall and did not enable OSPF. Then we looked at why the firewall was there at all. The customer insisted that they needed OSPF. They also insisted that they needed to filter traffic from one "untrusted" part of the company into a "trusted" part of the same parent company, and we could not convince the customer otherwise, we kept the firewall there, and ran gated on it. This of course applies to my experience with IBM Firewall V3.x, other vendors may not be as willing to run such things as gated on their firewalls. In this instance I suggested we put in something along the lines of a Cisco router with Access Lists configured. As a footnote, I heard yesterday that this client has decided to remove the firewall, which confirmed my suspicions that they didn't really need it, and they should have been more trusting. "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> on 22/07/99 05:06:04 AM Please respond to "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> To: firewall-wizards () nfr net cc: (bcc: Andrew Bernoth/AdvInt/Advantra) Subject: OSPF I am trying to configure a firewall to forward OSPF "hello" packets. The firewall is installed between two OSPF-enabled routers and although it doesn't participate in the OSPF itself, it must forward the data from one router to the other. The OSPF is sent via multicast to the IP address 224.0.0.5. Does any one have any insight into this problem. Any advice on any firewall product would be appreciated. Thanks, Brad MacQuarrie
Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
Current thread:
- Re: OSPF Eric Vyncke (Aug 10)