Firewall Wizards mailing list archives

Re: OSPF

From: Brett Eldridge <beldridg () best com>
Date: Fri, 23 Jul 1999 08:45:24 -0700 (PDT)

On Thu, 22 Jul 1999 Andrew_Bernoth () advantra com au wrote:

I ran into this issue last year.  I finally decided that the firewall
really is acting as a router, i.e. it passes traffic from one network
to another network. Hence the multicast packet would not be passed
from one side to the other if the firewall was not participating in
OSPF, much the same as if you did put a router in the place of the
firewall and did not enable OSPF.


I have configured a few firewall systems with OSPF using GateD and ran
into the same issue. A few notes from my experiences:

You used to be able to have GateD "forward" OSPF packets by participating
in the OSPF cloud but not installing any routes. The option in GateD used
to be:

       options noinstall ;

       noinstall Do not change kernel's routing  table.
                 Useful   for  verifying  configuration
                 files.

Unfortunately, I think they took it out around 3.5. Anybody know why?

I also take a few other security measures when using GateD:

 - use MD5 authentication
 - chroot the GateD daemon
 - Use filters on the firewall gateways to allow updates from only
   defined routers.

It doesn't solve all problems, but it makes it a bit harder to compromise.


- brett

Current thread:

OSPF Brad MacQuarrie (Jul 21)
- <Possible follow-ups>
- Re: OSPF Andrew_Bernoth (Jul 23)
  - Re: OSPF Brett Eldridge (Jul 26)