[ previous ] [ next ] [ threads ]
 
 From:  Robert Rich <rrich at gstisecurity dot com>
 To:  anders knudsen <andersbk at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Qwest DSL OSPF blocking?
 Date:  Fri, 17 Dec 2004 04:36:56 -0500
Bummer.

Might be a simple enhancement request...add an 'other' text box to type 
in any ip proto number (89 for ospf) like there is for the IP port numbers.

For now, just try adding a non-logging rule to block 'any' IP protocol 
from the router's source IP address (or _to_ the osfp multicast 
address).  Blocking the router source could potentially interrupt DHCP, 
but it's working now without a rule permitting it, so you should be 
fine.  If the rule does impact DHCP, try adding a WAN rule permitting 
UDP access from the router ip (source) on port 67 to your WAN interface 
port 68 (dest).

Hope that helps.


anders knudsen wrote:

>OK. How doe one block OSPF proto. The web gui does not list OSPF as a proto.
>
>-Anders
>
>On Thu, 16 Dec 2004 17:47:05 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
>  
>
>>On Thu, 16 Dec 2004 10:33:59 -0700, anders knudsen <andersbk at gmail dot com> wrote:
>>    
>>
>>>I have qwest dsl. The modem is set up in bridge mode (essentially it's
>>>just a transceiver.)
>>>m0n0wall is authenticating via PPPoE, and NAT/Firewall are working perfectly.
>>>My concern is that ipf is blocking ospf requests from qwest. Will this
>>>be a problem? Is it possible/safe to create an ipf rule to not log
>>>these requests, as they are very frequent (see output from ipmon
>>>below. I removed the source IP...and the 224 is obviously the ospf
>>>broadcast address.)
>>>
>>>I did search the mailing list, and read all the various posts
>>>about/requesting ospf support, and can understand why it's not
>>>included. I'm not asking for this feature, just trying to understand
>>>if blocking these will affect me.
>>>
>>>      
>>>
>>Not going to hurt anything.  That's their OSPF which only affects
>>their routers.  They really shouldn't be advertising out
>>customer-facing interfaces, but we won't go there.  :)  (depending on
>>their network design, if it's not well done, they may have to)
>>
>>Yes, you can safely drop and not log it.
>>
>>-Chris
>>
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>