Date: Mon, 22 May 2000 16:09:06 -0700 From: Andre Gironda <andre@sun4c.net> To: "Jean M. Vandette" <vandj@securenet.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW and OSPF Message-ID: <20000522160906.B5867@toaster.sun4c.net> In-Reply-To: <4.3.1.2.20000522154805.00bb55a0@pop.securenet.net>; from Jean M. Vandette on Mon, May 22, 2000 at 03:50:30PM -0400 References: <4.3.1.2.20000522154805.00bb55a0@pop.securenet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Uh... I think you might be able to do this with IPFW. I haven't done it myself. According to /etc/protocols, OSPF is IP proto type 89. so like "ipfw add allow 89 from <src> to <dst>" or just "ipfw add allow ospf from any to any" :> but that's just the IGP, now you have to worry about passing LSA and Hello's... they run over Multicast (224.0.0.5 and 224.0.0.6) with TTL=1 So, you have multicast group 224.0.0.5 (all routers) and 224.0.0.6 (designated routers - DR's) that you need to allow (ipfw add allow all from 224.0.0.X to X). Make sure you use "all" or type 2 (IGMP). Realize that this will only allow multicast to the local network (which is hopefully all you need) because of the multicast ttl=1 (see ip(4) for more information). dre On Mon, May 22, 2000 at 03:50:30PM -0400, Jean M. Vandette wrote: > Greetings all, > > I was wondering if anyone could tell me what rule to put into > the rc.firewall so ospf multicast updates will pass to the local > servers. I've tried a few things without much success any help > would be appreciated. > > Thanks in advance for any assistance. > > Jean M. Vandette > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000522160906.B5867>