Q> FW-1 and OSPF

Brett Eldridge beldridg@cup.hp.com
Tue, 9 Jun 1998 17:45:30 -0700 (PDT)


Hi Leslie,

I clipped firewalls from the cc: list because I think you mis-typed the
address (firewalls@@lists.gnac.net) and I don't think your message made
it.


On Thu, 4 Jun 1998, Leslie Jay wrote:

> I am brought in to help this company install and configure a
> Checkpoint FW-1 in the following scenario.

[snip diagram] 

> They use OSPF for the routers to exchange information.
> And are concerned if putting the FW-1 in between
> the routers will break the OSPF protocol or not.
> 
> My concern is although FW-1 knows about OSPF, (since it
> is already in the list of services), whether it will
> be as simple as adding the service in the allow list 
> of the rule.


It depends how you want the FW-1 gateway to participate in OSPF. 

By default, OSPF uses multicast (224.0.0.5 and 224.0.0.6). In general,
this means that "Two OSPF routers will never form a neighbor relationship
and hence will never forward packets directly between each other unless
they share a common (IP subnet) prefix." [1]

The design of OSPF also says that "routers receiving the Hello will
accept it only if (a) both routers agree on the subnet mask and (b) both
router interfaces (sender and receiver) attach to the same subnet." [2]

This basically means that you need the firewall to either participate
directly in OSPF or to at least "relay" the information (actually, I
think the work on NHRP will allow you to get around this).

So, you will need to learn a little about GateD and you will need to
ensure that the OS and specific NICs you use support multicast (well, you
could also use NBMA in a pinch).

The bottom line is that configuring the policy in Firewall-1 is the easy
part.


[1] OSPF Anatomy of an Internet Routing Protocol, J. Moy, Addison Wesley,
1998, p. 104

[2] Ibid.



- brett