[nsp] OSPF x firewall

BERKANE Mourad mourad.berkane.prestataire at cegetel.fr
Fri Dec 19 09:48:44 EST 2003 

Thanks for your point Russel.

As oli said it won't work unless doing something really dirty:

- Can't a Firewall change a IP TTL value?
- Can't IP source of LSA packets change by a firewall?
- Can't a Tunneling of Multicast packets between 2 FW interfaces be
possible?

Nothing standard, ok this look dirty :-) and may be not possible with all
firewall vendors.

A clean solution could be changing routing design (to static) or including
firewall feature internally to the routers (ACL).


-----Message d'origine-----
De: Russell Heilling [mailto:russell at ccie.org.uk]
Date: vendredi 19 décembre 2003 15:20
À: BERKANE Mourad
Cc: 'Thales'; 'cisco-nsp at puck.nether.net'
Objet: Re: [nsp] OSPF x firewall


On Fri, Dec 19, 2003 at 02:08:16PM +0100, BERKANE Mourad wrote:
> 
> Hello,
> 
> A Firewall or a Cisco ACL operate in the forwarding plane, not in the
> control one.
> Your firewall needn't to be ospf aware, you just need to allow routing
> exchange between backbone area routers.

I have to disagree with this...  OSPF hellos and LSA are link local
(i.e. TTL=1) multicast packets.  It should be possible to pass these 
through the firewall if it is operating in a transparent bridging mode, 
but in most firewall implementations the firewall itself will act as a 
gateway rather than a bridge, and therefore TTL=1 packets will not be 
passed between the inside and outside (assuming the firewall itself has 
support for multicast forwarding of some form...).

Cheerz,

Russell
 
> Have fun/
> Mourad
> 
> -----Message d'origine-----
> De: Thales [mailto:thalesrx at terra.com.br]
> Date: vendredi 19 d?cembre 2003 01:05
> ?: cisco-nsp at puck.nether.net
> Objet: [nsp] OSPF x firewall
> 
> 
> Folks, 
> 
> I have a area 0 with 2 routers running OSPF. Now , i need put a firewall
in
> the midle. is it possible maintain this structure without change nothing
and
> without need enable OSPF in the firewall ? Does Someome know  a tip or a
> trick ? The subnet will be different. 
> 
> Thanks in advance
> 
> Thales Azevedo
> Rio de Janeiro - Brazil
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.520 / Virus Database: 318 - Release Date: 18/09/03
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-- 
Russell Heilling
http://www.ccie.org.uk/
PGP: finger russellh at bela.homeunix.net

More information about the cisco-nsp mailing list