Firewall Wizards mailing list archives
Re: OSPF
From: Brett Eldridge <beldridg () best com>
Date: Fri, 23 Jul 1999 08:45:24 -0700 (PDT)
On Thu, 22 Jul 1999 Andrew_Bernoth () advantra com au wrote:
I ran into this issue last year. I finally decided that the firewall really is acting as a router, i.e. it passes traffic from one network to another network. Hence the multicast packet would not be passed from one side to the other if the firewall was not participating in OSPF, much the same as if you did put a router in the place of the firewall and did not enable OSPF.
I have configured a few firewall systems with OSPF using GateD and ran into the same issue. A few notes from my experiences: You used to be able to have GateD "forward" OSPF packets by participating in the OSPF cloud but not installing any routes. The option in GateD used to be: options noinstall ; noinstall Do not change kernel's routing table. Useful for verifying configuration files. Unfortunately, I think they took it out around 3.5. Anybody know why? I also take a few other security measures when using GateD: - use MD5 authentication - chroot the GateD daemon - Use filters on the firewall gateways to allow updates from only defined routers. It doesn't solve all problems, but it makes it a bit harder to compromise. - brett