Firewall Wizards mailing list archives
Re: OSPF
From: Andrew_Bernoth () advantra com au
Date: Thu, 22 Jul 1999 14:54:16 +1000
I ran into this issue last year. I finally decided that the firewall really is acting as a router, i.e. it passes traffic from one network to another network. Hence the multicast packet would not be passed from one side to the other if the firewall was not participating in OSPF, much the same as if you did put a router in the place of the firewall and did not enable OSPF. Then we looked at why the firewall was there at all. The customer insisted that they needed OSPF. They also insisted that they needed to filter traffic from one "untrusted" part of the company into a "trusted" part of the same parent company, and we could not convince the customer otherwise, we kept the firewall there, and ran gated on it. This of course applies to my experience with IBM Firewall V3.x, other vendors may not be as willing to run such things as gated on their firewalls. In this instance I suggested we put in something along the lines of a Cisco router with Access Lists configured. As a footnote, I heard yesterday that this client has decided to remove the firewall, which confirmed my suspicions that they didn't really need it, and they should have been more trusting. "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> on 22/07/99 05:06:04 AM Please respond to "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> To: firewall-wizards () nfr net cc: (bcc: Andrew Bernoth/AdvInt/Advantra) Subject: OSPF I am trying to configure a firewall to forward OSPF "hello" packets. The firewall is installed between two OSPF-enabled routers and although it doesn't participate in the OSPF itself, it must forward the data from one router to the other. The OSPF is sent via multicast to the IP address 224.0.0.5. Does any one have any insight into this problem. Any advice on any firewall product would be appreciated. Thanks, Brad MacQuarrie