From owner-freebsd-security Mon May 22 16: 6:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 6AB6637B7A9 for ; Mon, 22 May 2000 16:06:50 -0700 (PDT) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3+openldap/8.9.3) id QAA06151; Mon, 22 May 2000 16:09:07 -0700 (PDT) Date: Mon, 22 May 2000 16:09:06 -0700 From: Andre Gironda To: "Jean M. Vandette" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW and OSPF Message-ID: <20000522160906.B5867@toaster.sun4c.net> References: <4.3.1.2.20000522154805.00bb55a0@pop.securenet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <4.3.1.2.20000522154805.00bb55a0@pop.securenet.net>; from Jean M. Vandette on Mon, May 22, 2000 at 03:50:30PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uh... I think you might be able to do this with IPFW. I haven't done it myself. According to /etc/protocols, OSPF is IP proto type 89. so like "ipfw add allow 89 from to " or just "ipfw add allow ospf from any to any" :> but that's just the IGP, now you have to worry about passing LSA and Hello's... they run over Multicast (224.0.0.5 and 224.0.0.6) with TTL=1 So, you have multicast group 224.0.0.5 (all routers) and 224.0.0.6 (designated routers - DR's) that you need to allow (ipfw add allow all from 224.0.0.X to X). Make sure you use "all" or type 2 (IGMP). Realize that this will only allow multicast to the local network (which is hopefully all you need) because of the multicast ttl=1 (see ip(4) for more information). dre On Mon, May 22, 2000 at 03:50:30PM -0400, Jean M. Vandette wrote: > Greetings all, > > I was wondering if anyone could tell me what rule to put into > the rc.firewall so ospf multicast updates will pass to the local > servers. I've tried a few things without much success any help > would be appreciated. > > Thanks in advance for any assistance. > > Jean M. Vandette > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message