[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

firewall configuration on a router



Hi !
Thanx for all your answers.
I tried to setup my firewall rules allowing RIP v2 and/or OSPF but it
did not work.
This is the log i got from STDOUT

 #For RIP
2002/06/10 13:02:57 RIP: can't send packet : Permission denied
2002/06/10 13:02:58 RIP: can't send packet : Permission denied

#For OSPF
2002/06/10 11:20:59 OSPF: ASBR[Status:1]: Update
2002/06/10 11:20:59 OSPF: ASBR[Status:2]: Update
2002/06/10 11:20:59 OSPF: ASBR[Status:2]: Already ASBR
2002/06/10 11:20:59 OSPF: ASBR[Status:3]: Update
2002/06/10 11:20:59 OSPF: ASBR[Status:3]: Already ASBR
2002/06/10 11:20:59 OSPF: OSPFd (0.92a) starts
2002/06/10 11:20:59 OSPF: interface IP join AllSPFRouters Multicast group.
2002/06/10 11:21:00 OSPF: LSA: AS-external-LSA was not originated.
2002/06/10 11:21:00 OSPF: *** sendto in ospf_write failed with Permission denied
2002/06/10 11:21:05 OSPF: Route[External]: Calculate AS-external-LSA  to IP/26
2002/06/10 11:21:05 OSPF: Route[External]: AS-external-LSA is self originated
2002/06/10 11:21:10 OSPF: *** sendto in ospf_write failed with Permission denied
2002/06/10 11:21:20 OSPF: *** sendto in ospf_write failed with Permission denied

Here is ipfw i wrote for ospf and rip

ipfw add pass ospf from any to any


#Allow rip
ipfw add pass udp from OUTSIDE INTERFACE 520  to any

Those rules are between

  ipfw add pass tcp from any to any established
  and
  ipfw add deny all from any to any



Do anybody knows what's going wrong ?



Sewa

PS: How can i configure syslogd to write screen output directly in a file
when using this rule ?
ipfw add deny log tcp from any to any in via ${oif} setup.
Most of the rule i'm usinf are in /etc/rc.firewall when using
firewall_type=simple.

sorry for my poor english.





BC> On Thu, Jun 06, 2002 at 07:09:34PM +0200, Rob Hunter wrote:
>> > I' want to set up a firewall on my router box runing  zebra.
>> > For now all is working good but and i need to know port on which ospf and
>> > ripd (version 2) are listening on to write ipfw rule correctly.
>> 
>> % grep -i ospf /etc/services
>> ospfd           2604/tcp   #OSPFd vty
>> ospf6d          2606/tcp   #OSPF6d vty
>> 
>> % grep -i ospf /etc/services
>> ospfd           2604/tcp   #OSPFd vty
>> ospf6d          2606/tcp   #OSPF6d vty

BC> Wrong answer.

BC> OSPF does not run over UDP or TCP, and therefore "port" does not mean
BC> anything. It is its own layer 4 protocol:

BC> $ grep ospf /etc/protocols
BC> ospf    89      OSPFIGP         # Open Shortest Path First IGP

BC> (for comparison, tcp is protocol 6 and udp is protocol 17)

BC> RIP, I *think* is UDP. Port 520 (RFC1058, RIPv1). It's obsolete.

BC> Regards,

BC> brian.



-- 
Best regards,
 Sewa                            mailto:sewa at cafe.tg


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org