[ previous ] [ next ] [ threads ]
 
 From:  anders knudsen <andersbk at gmail dot com>
 To:  mk at neon1 dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Qwest DSL OSPF blocking?
 Date:  Fri, 17 Dec 2004 11:57:53 -0700
OK. Based on this thread, Manuel, I request that for "Firewall: Rules:
Edit" the protocol pop-up be enhanced to allow for any protocol in
/etc/protocols (just cat this file on your fav bsd box.) Or, just
leave the pop-up as is, but add the "other" with "field" selection as
describe by Robert.

Does this seem reasonable?

thanks,
-anders.



On Fri, 17 Dec 2004 04:36:56 -0500, Robert Rich <rrich at gstisecurity dot com> wrote:
> Bummer.
> 
> Might be a simple enhancement request...add an 'other' text box to type
> in any ip proto number (89 for ospf) like there is for the IP port numbers.
> 
> For now, just try adding a non-logging rule to block 'any' IP protocol
> from the router's source IP address (or _to_ the osfp multicast
> address).  Blocking the router source could potentially interrupt DHCP,
> but it's working now without a rule permitting it, so you should be
> fine.  If the rule does impact DHCP, try adding a WAN rule permitting
> UDP access from the router ip (source) on port 67 to your WAN interface
> port 68 (dest).
> 
> Hope that helps.
> 
> 
> anders knudsen wrote:
> 
> >OK. How doe one block OSPF proto. The web gui does not list OSPF as a proto.
> >
> >-Anders
> >
> >On Thu, 16 Dec 2004 17:47:05 -0500, Chris Buechler <cbuechler at gmail dot com> wrote:
> >
> >
> >>On Thu, 16 Dec 2004 10:33:59 -0700, anders knudsen <andersbk at gmail dot com> wrote:
> >>
> >>
> >>>I have qwest dsl. The modem is set up in bridge mode (essentially it's
> >>>just a transceiver.)
> >>>m0n0wall is authenticating via PPPoE, and NAT/Firewall are working perfectly.
> >>>My concern is that ipf is blocking ospf requests from qwest. Will this
> >>>be a problem? Is it possible/safe to create an ipf rule to not log
> >>>these requests, as they are very frequent (see output from ipmon
> >>>below. I removed the source IP...and the 224 is obviously the ospf
> >>>broadcast address.)
> >>>
> >>>I did search the mailing list, and read all the various posts
> >>>about/requesting ospf support, and can understand why it's not
> >>>included. I'm not asking for this feature, just trying to understand
> >>>if blocking these will affect me.
> >>>
> >>>
> >>>
> >>Not going to hurt anything.  That's their OSPF which only affects
> >>their routers.  They really shouldn't be advertising out
> >>customer-facing interfaces, but we won't go there.  :)  (depending on
> >>their network design, if it's not well done, they may have to)
> >>
> >>Yes, you can safely drop and not log it.
> >>
> >>-Chris
> >>
> >>
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> >
> 
>