RE: [fw-wiz] OSPF on Firewall

MHawkins_at_TULLIB.COM
Date: 12/17/03

  • Next message: Ran Nahmias: "RE: [fw-wiz] OSPF on Firewall" 
    To: shimons@bll.co.il, firewall-wizards@honor.icsalabs.com
Date: Wed, 17 Dec 2003 16:34:12 -0500

    No, this is not true.

    You CAN establish OSPF neighbors across firewalls (and RIP, BGP, EIGRP,
    IGRP).

    Since OSPF uses multicast to find other neighbors you can do it one of two
    ways depending on the type of firewall you are using.

    The easy way is to configure the routers on either side of the firewall with
    specific neighbor statements that will establish unicast connections to each
    other through the firewall.

    The hard way is to get multicast routing working on your firewall and then
    open OSPF IP protocol 89 (RFC 1247). This is a big hassle (and can't work at
    all on PIX since pix doesn't support multicast). I tried this with
    Nokia/CheckPoint and have put it off for now. Too hard and Cisco IGMP Nokia
    IGMP have interoperability problems too!

    Stick to the easy way - it works.

    Mike H

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Shimon
    Silberschlag
    Sent: Wednesday, December 17, 2003 3:02 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] OSPF on Firewall

    Lets say that I have two routers (on an internal network) that talk OSPF
    between them.

    Now I have to insert a firewall in-between the two routers.

    I am led to believe (by the Communications people I work with) that there is
    no other option but to install OSPF on the firewall, which doesn't make me
    feel easy about the solution.

    Is it true that there is no other way around this problem?

    TIA,

    Shimon Silberschlag

    +972-3-9351572
    +972-51-207130

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Ran Nahmias: "RE: [fw-wiz] OSPF on Firewall"

    Relevant Pages

    • Re: [fw-wiz] OSPF on Firewall
      ... > Lets say that I have two routers (on an internal network) that talk OSPF ... > Now I have to insert a firewall in-between the two routers. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] OSPF on Firewall
      ... > Lets say that I have two routers that talk OSPF ... > Now I have to insert a firewall in-between the two routers. ... to their underlying bridging configuration to get it to work. ...
      (Firewall-Wizards)
    • Re: HA/Failover options
      ... > sort of dynamic routing? ... Even Win2K has OSPF capabilities. ... hosts) and "server" (firewall hosts) configuration of such a network? ...
      (FreeBSD-Security)
    • Re: HA/Failover options
      ... Even Win2K has OSPF capabilities. ... >firewall solution to replace our managed firewalls. ... >FreeBSD with ipfw and vrrp would do the trick. ... >interface with a vrid on it, somehow the vip stays in the interface ...
      (FreeBSD-Security)
    • Re: NLB through a firewall.
      ... Servers that are NLB members send multicast address on the network segment. ... The firewall receives it (it's a multicast), as any other network connected device and drop it. ... Network Load Balancing overwrites the original MAC address of the cluster adapter with the unicast MAC address that is assigned to all the cluster hosts. ...
      (microsoft.public.windows.server.clustering)