Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: OSPF

Re: OSPF

From: Eric Vyncke <evyncke_at_cisco.com>
Date: Tue, 10 Aug 1999 11:57:30 +0200

Delayed reply due to vacations ;)

You cannot pass OSPF Hellos and LSA through a packet filter or
stateful inspection firewall: the reasons are:
- OSPF LSA and Hellos are multicast and most firewalls do not
  support multicast
- OSPF LSA and Hellos are sent with TTL=1 (meaning local net only)
  and all these firewalls will discard the packet due to 'time exceeded'

The only way to pass OSPF through a firewall is to use an OSPF proxy
(aka router ;-) ). But then, my personal feeling is that you open
too much to the outside.

Additional notes:
- you may want to use BGP (which uses TCP with TTL > 1) to pass routing
  information
- you may also authenticate OSPF packets with a MD5 hash

Hope this helps

-eric

At 14:54 22/07/1999 +1000, Andrew_Bernoth_at_advantra.com.au wrote:
>
>
>I ran into this issue last year. I finally decided that the firewall really is
>acting as a router, i.e. it passes traffic from one network to another network.
>Hence the multicast packet would not be passed from one side to the other if
>the
>firewall was not participating in OSPF, much the same as if you did put a
>router
>in the place of the firewall and did not enable OSPF.
>
>Then we looked at why the firewall was there at all. The customer insisted
>that
>they needed OSPF. They also insisted that they needed to filter traffic from
>one "untrusted" part of the company into a "trusted" part of the same parent
>company, and we could not convince the customer otherwise, we kept the firewall
>there, and ran gated on it.
>
>This of course applies to my experience with IBM Firewall V3.x, other vendors
>may not be as willing to run such things as gated on their firewalls. In this
>instance I suggested we put in something along the lines of a Cisco router with
>Access Lists configured.
>
>As a footnote, I heard yesterday that this client has decided to remove the
>firewall, which confirmed my suspicions that they didn't really need it, and
>they should have been more trusting.
>
>
>
>
>
>
>"Brad MacQuarrie" <Brad_MacQuarrie_at_maritimelife.ca> on 22/07/99 05:06:04 AM
>
>Please respond to "Brad MacQuarrie" <Brad_MacQuarrie_at_maritimelife.ca>
>
>To: firewall-wizards_at_nfr.net
>cc: (bcc: Andrew Bernoth/AdvInt/Advantra)
>Subject: OSPF
>
>
>
>
>
>
>I am trying to configure a firewall to forward OSPF "hello" packets. The
>firewall is installed
> between two OSPF-enabled routers and although it doesn't participate in
>the OSPF itself,
> it must forward the data from one router to the other. The OSPF is sent
>via multicast to the IP address 224.0.0.5.
>
>Does any one have any insight into this problem. Any advice on any
>firewall product would be appreciated.
>
>Thanks,
>
>Brad MacQuarrie
>
>
>
>
>
>
>
>

Eric Vyncke
Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke_at_cisco.com Mobile: +32-75-312.458
Received on Aug 10 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos