Might be a simple enhancement request...add an 'other' text box to type
in any ip proto number (89 for ospf) like there is for the IP port numbers.
For now, just try adding a non-logging rule to block 'any' IP protocol
from the router's source IP address (or _to_ the osfp multicast
address). Blocking the router source could potentially interrupt DHCP,
but it's working now without a rule permitting it, so you should be
fine. If the rule does impact DHCP, try adding a WAN rule permitting
UDP access from the router ip (source) on port 67 to your WAN interface
port 68 (dest).
Hope that helps.
anders knudsen wrote:
>OK. How doe one block OSPF proto. The web gui does not list OSPF as a proto.
>On Thu, 16 Dec 2004 17:47:05 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
>>On Thu, 16 Dec 2004 10:33:59 -0700, anders knudsen <andersbk at gmail dot com> wrote:
>>>I have qwest dsl. The modem is set up in bridge mode (essentially it's
>>>just a transceiver.)
>>>m0n0wall is authenticating via PPPoE, and NAT/Firewall are working perfectly.
>>>My concern is that ipf is blocking ospf requests from qwest. Will this
>>>be a problem? Is it possible/safe to create an ipf rule to not log
>>>these requests, as they are very frequent (see output from ipmon
>>>below. I removed the source IP...and the 224 is obviously the ospf
>>>I did search the mailing list, and read all the various posts
>>>about/requesting ospf support, and can understand why it's not
>>>included. I'm not asking for this feature, just trying to understand
>>>if blocking these will affect me.
>>Not going to hurt anything. That's their OSPF which only affects
>>their routers. They really shouldn't be advertising out
>>customer-facing interfaces, but we won't go there. :) (depending on
>>their network design, if it's not well done, they may have to)
>>Yes, you can safely drop and not log it.
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch