Hello, I realize that you can't acctually pass ospf through a firewall because ospf hello packets are sent with a TTL=1; however, you should be able to pass them *TO* a firewall, right?
I have an OpenBSD pf machine running quagga with ospf enabled. When I turn my packet filter on, this machine looses its routing table. My question is, how can I set pf up to support ospf connections to and from its own IP address? Will "pass in quick on $if proto ospf all" and "pass out quick on $if proto ospf all" work for unicast packets? (IE does pf's parsing of /etc/protocols acctually work?) Here's my current pf.conf: if = "fxp0" scrub in on $if all # Default Deny #pass out all #pass in all block out log all block in log all # Allow all for lo0 pass in log quick on lo0 all pass out log quick on lo0 all # Allow OSPF packets to pass pass in quick on $if proto ospf all pass out quick on $if proto ospf all pass in quick on $if from 224.0.0.0/4 to any pass out quick on $if from 224.0.0.0/4 to any # DSL Fix pass out log on $if route-to ($if 10.64.14.64) from 146.82.194.224/27 to any keep state # For ping/traceroute pass out log on $if inet proto icmp all icmp-type 8 code 0 keep state pass in log on $if inet proto icmp all icmp-type 8 code 0 keep state # Firewall pass out log on $if proto tcp from 10.64.14.40 to any flags S/SA modulate state pass out log on $if proto udp from 10.64.14.40 to any keep state pass in on $if proto tcp from 10.64.14.0/24 to 10.64.14.40 port 22 flags S/SA modulate state # Internal net pass out log on $if proto tcp from 10.64.14.0/24 to any flags S/SA modulate state pass out log on $if proto udp from 10.64.14.0/24 to any keep state # WAN #pass in log on $if proto tcp from 10.64.0.0/16 to any flags S/SA modulate state #pass in log on $if proto udp from 10.64.0.0/16 to any keep state pass in log on $if proto tcp from 192.168.200.0/24 to 10.64.14.0/24 flags S/SA modulate state pass in log on $if proto udp from 192.168.200.0/24 to 10.64.14.0/24 keep state # Internet pass out log on $if proto tcp from 146.82.194.224/27 to any flags S/SA modulate state pass out log on $if proto udp from 146.82.194.224/27 to any keep state pass in log on $if proto udp from any to 146.82.194.224/27 port 53 keep state pass in log on $if proto tcp from any to 146.82.194.224/27 port 53 flags S/SA modulate state pass in log on $if proto tcp from any to 146.82.194.224/27 port 80 flags S/SA modulate state pass in log on $if proto tcp from any to 146.82.194.224/27 port 22 flags S/SA modulate state pass in log on $if proto tcp from any to 146.82.194.224/27 port 21 flags S/SA modulate state pass in log on $if proto tcp from any to 146.82.194.224/27 port 20 flags S/SA modulate state pass in log on $if proto tcp from any to 146.82.194.224/27 port 25 flags S/SA modulate state pass in log on $if proto tcp from any to 146.82.194.224/27 port 110 flags S/SA modulate state pass in log on $if proto tcp from any to 146.82.194.224/27 port 443 flags S/SA modulate state -- Daniel Corbe, CCNA tel +1 954-921-2400 x104 Senior Network Engineer [EMAIL PROTECTED] Results Technologies http://www.resultstel.com Dania Beach, FL
