-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Shorewall-List, any suggestions/comments for this ruleset to allow OSPF-routing on the firewall (with GNU zebra) ? OSPF uses protocol 89, real+bcast-Addresses: hosts: bcast eth0:224.0.0.0/24 rules: ACCEPT net $FW ospfigp ACCEPT $FW net ospfigp ACCEPT bcast $FW ospfigp ACCEPT $FW bcast ospfigp This ruleset seems to work, but how secure is it ? Regards, Andreas - -- [ Bitte keine HTML-Mail / MS-Attachments *.xls *.doc ] [ PGP Public Key at https://noc.megsystems.net/pgp/ ] Andreas Wassatsch MEG Kommunikationssysteme GmbH Dipl.-Ing. Hans-Bunte-Straße 20 D-69123 Heidelberg using Linux since 0.99pl10 Fon 06221-8320-490 Fax -20 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9Egjlhfo0oE4rIFERApuyAJ43nAaq2XqlnhrzvAMa/IUbUJhuPACdEjoX FSN1NSTzGbha8+HXZhOa/4s=A7mV -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, just in case anyone is interested, OSPF uses the assigned multicast-addresses 224.0.0.5 and 224.0.0.6 [RFC 2328], so the rules to allow OSPF-Routing on a Shorewall could be: rules: ACCEPT net $FW 89 ACCEPT $FW net 89 ACCEPT 224.0.0.5 $FW 89 ACCEPT $FW 224.0.0.5 89 ACCEPT 224.0.0.6 $FW 89 ACCEPT $FW 224.0.0.6 89 thanks for the exhaustive help. Regards, Andreas On 20. June 2002 18:54, Andreas Wassatsch wrote:> Hello Shorewall-List, > > any suggestions/comments for this ruleset to allow OSPF-routing > on the firewall (with GNU zebra) ? > OSPF uses protocol 89, real+bcast-Addresses: > > hosts: > bcast eth0:224.0.0.0/24 > > rules: > ACCEPT net $FW ospfigp > ACCEPT $FW net ospfigp > ACCEPT bcast $FW ospfigp > ACCEPT $FW bcast ospfigp > > This ruleset seems to work, but how secure is it ? > > Regards, > Andreas- -- [ Bitte keine HTML-Mail / MS-Attachments *.xls *.doc ] [ PGP Public Key at https://noc.megsystems.net/pgp/ ] Andreas Wassatsch MEG Kommunikationssysteme GmbH Dipl.-Ing. Hans-Bunte-Straße 20 D-69123 Heidelberg using Linux since 0.99pl10 Fon 06221-8320-490 Fax -20 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9Fxyshfo0oE4rIFERArEGAJ0T0mz528kR6M8P6iC72xD7OWVAjACcDpFG 2qWuBsKRo/br0hDbm+lADeI=eoEm -----END PGP SIGNATURE-----
On Mon, 24 Jun 2002, Andreas Wassatsch wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hello, > > just in case anyone is interested, OSPF uses the assigned > multicast-addresses 224.0.0.5 and 224.0.0.6 [RFC 2328], > so the rules to allow OSPF-Routing on a Shorewall could be: > > rules: > ACCEPT net $FW 89 > ACCEPT $FW net 89 > ACCEPT 224.0.0.5 $FW 89 > ACCEPT $FW 224.0.0.5 89 > ACCEPT 224.0.0.6 $FW 89 > ACCEPT $FW 224.0.0.6 89 > > thanks for the exhaustive help. >Sorry that you don''t find our _free_ support adaquate. I debated long and hard about whether I should stay home this weekend reading RFCs to try to answer your original question but I decided to drive 600 miles and care for my elderly parents instead. Now for the rules that you have posted: I think you''ll find that these will work: ACCEPT $FW net 89 ACCEPT net $FW:224.0.0.5 89 ACCEPT net $FW:224.0.0.6 89 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon, 24 Jun 2002, Tom Eastep wrote:> > Now for the rules that you have posted: I think you''ll find that these > will work: > > ACCEPT $FW net 89 > ACCEPT net $FW:224.0.0.5 89 > ACCEPT net $FW:224.0.0.6 89 >One more thing -- the common.def file contains the following rule: run_iptables -A common -d 224.0.0.0/4 -j DROP While testing multicast, it would be a good idea to create /etc/shorewall/common as follows: run_iptables -A common -d 224.0.0.0/4 -j RETURN . /etc/shorewall/common.def That way multicasts that are dropped or rejected by policy will be logged. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net