Firewall Wizards mailing list archives
RE: OSPF on Firewall
From: "Wes Noonan" <mailinglists () wjnconsulting com>
Date: Wed, 17 Dec 2003 15:45:22 -0600
Depending on the firewall in question, this is correct. The key is whether your firewall supports multicast/broadcast traffic to pass. For example, the PIX doesn't. You *can* install OSFP on the firewall if you want to, just make sure that you harden it accordingly. If you are using OSPF authentication on a purely internal network and preventing it from running on any external interfaces I actually see very little downside in this, but that is just me. I like simplicity of the solution. Plus, being a Cisco guy, this is what I have to do with their firewalls anyway. The other alternative is to treat your routing traffic just like any other traffic (with above caveat noted). Basically create ACLs to permit the traffic and then create whatever internal associations that will allow the traffic to be passed by the firewall. Here is an example of how to pass BGP (I know you wanted OSPF, but the PIX won't do that) through a PIX firewall: http://www.cisco.com/en/US/tech/tk365/tk80/technologies_configuration_exampl e09186a008009487d.shtml Good luck. Wes Noonan mailinglists () wjnconsulting com http://www.wjnconsulting.com
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards- admin () honor icsalabs com] On Behalf Of Shimon Silberschlag Sent: Wednesday, December 17, 2003 02:02 To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] OSPF on Firewall Lets say that I have two routers (on an internal network) that talk OSPF between them. Now I have to insert a firewall in-between the two routers. I am led to believe (by the Communications people I work with) that there is no other option but to install OSPF on the firewall, which doesn't make me feel easy about the solution. Is it true that there is no other way around this problem? TIA, Shimon Silberschlag +972-3-9351572 +972-51-207130 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX inside interface not accessible using CVPN JC Marze (Dec 13)
- OSPF on Firewall Shimon Silberschlag (Dec 17)
- Re: OSPF on Firewall Paul Robertson (Dec 17)
- RE: OSPF on Firewall Ran Nahmias (Dec 17)
- Re: OSPF on Firewall Luke Butcher (Dec 17)
- Re: OSPF on Firewall Gary Flynn (Dec 17)
- RE: OSPF on Firewall Wes Noonan (Dec 17)
- OSPF on Firewall Shimon Silberschlag (Dec 17)