Firewall Wizards mailing list archives

RE: OSPF on Firewall

From: "Sloane, David" <DSloane () vfa com>
Date: Wed, 17 Dec 2003 16:47:26 -0500

Shimon,

OSPF shouldn't require a direct links between routers to pass routing
table information.

Being a dynamic routing protocol, I'm assuming you want to pass OSPF
traffic in both directions.

While traversing two logical network segments won't happen by default,
you can inform each router of the other router's presence.  If they're
Cisco routers, you can use the "neighbor" command within OSPF
configuration to do inform each router of the other's IP address and
assign a routing cost.

See
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_command_
reference_chapter09186a00800b3f35.html#22612

From the firewall perspective, you would need to allow OSPF traffic to

and from each router address.  I can't see how it would get any more
complex than that.

Of course, this might not be an *ideal* OSPF implementation because
you'll have a slightly-less-precise OSPF failure message when a link
goes down.  Did the Router1-to-Firewall or Router2-to-Firewall link
fail?  You won't know, but that doesn't seem like a big loss to me.  If
the firewall fails, both routers will know that the other is unreachable
and they'll react accordingly.

There may be other reasons not to pass OSPF traffic across a firewall.
If the two networks connected by the routers no longer "trust" each
other (necessitating a firewall), then it may not be wise to pass
routing tables back and forth...

Good luck.


-David

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Shimon
Silberschlag
Sent: December 17, 2003 3:02 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] OSPF on Firewall


Lets say that I have two routers (on an internal network) that talk OSPF
between them.

Now I have to insert a firewall in-between the two routers.

I am led to believe (by the Communications people I work with) that
there is no other option but to install OSPF on the firewall, which
doesn't make me feel easy about the solution.

Is it true that there is no other way around this problem?

TIA,

Shimon Silberschlag

+972-3-9351572
+972-51-207130

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: OSPF on Firewall Melson, Paul (Dec 17)
- <Possible follow-ups>
- RE: OSPF on Firewall MHawkins (Dec 17)
- RE: OSPF on Firewall Carroll, Shawn (Dec 17)
- RE: OSPF on Firewall Sloane, David (Dec 17)
- RE: OSPF on Firewall Carroll, Shawn (Dec 17)