Re: OSPF

[Andrew_Bernoth () advantra com au]

I ran into this issue last year.  I finally decided that the firewall really is
acting as a router, i.e. it passes traffic from one network to another network.
Hence the multicast packet would not be passed from one side to the other if the
firewall was not participating in OSPF, much the same as if you did put a router
in the place of the firewall and did not enable OSPF.

Then we looked at why the firewall was there at all.  The customer insisted that
they needed OSPF.  They also insisted that they needed to filter traffic from
one "untrusted" part of the company into a "trusted" part of the same parent
company, and we could not convince the customer otherwise, we kept the firewall
there, and ran gated on it.

This of course applies to my experience with IBM Firewall V3.x, other vendors
may not be as willing to run such things as gated on their firewalls.  In this
instance I suggested we put in something along the lines of a Cisco router with
Access Lists configured.

As a footnote, I heard yesterday that this client has decided to remove the
firewall, which confirmed my suspicions that they didn't really need it, and
they should have been more trusting.






"Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> on 22/07/99 05:06:04 AM

Please respond to "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca>

To:   firewall-wizards () nfr net
cc:    (bcc: Andrew Bernoth/AdvInt/Advantra)
Subject:  OSPF






I am trying to configure a firewall to forward OSPF "hello" packets.  The
firewall is installed
 between two OSPF-enabled routers and although it doesn't participate in
the OSPF itself,
 it must forward the data from one router to the other.  The OSPF is sent
via multicast to the IP address 224.0.0.5.

Does any one have any insight into this problem.  Any advice on any
firewall product would be appreciated.

Thanks,

Brad MacQuarrie