From securityrouter.org, an OpenBSD-based firewall
Revision as of 07:54, 9 October 2012 by Anders (talk | contribs) (Created page with "Open Shortest Path First[http://en.wikipedia.org/wiki/OSPF] (OSPF) is an link-state routing protocol for Internet Protocol (IP) networks. Halon Security's implementation is based...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Open Shortest Path First[1] (OSPF) is an link-state routing protocol for Internet Protocol (IP) networks. Halon Security's implementation is based on, and slightly extends, OpenBSD's OpenOSPFD[2] which makes ospfd.conf's manual page[3] a great source of information. Currently, OSPF can only be configured by altering the clear-text configuration file.


The following sub-chapters will describe, and provide examples for, a few common scenarios. The web administration's plain-text editor or the CLI configure command can be used to add the OSPF configuration to the configuration file.

Redundant firewalls

It's not unusual to have two redundant BGP routers and two redundant firewalls, connected using OSPF. In this example, we will show the configuration of an OSPF firewall. The firewall will make the redundant service available to the LAN using CARP. The configuration below are used on both firewalls, except the "advskew" value should be higher on the backup firewall. The firewall that is active will announce it's "LAN" (carp0) network to the routers. Likewise, if a firewall loses all OSPF connectivity, it will demote itself from being master.

interface em0 {
   description "LAN"
   interface carp0 {
      advskew 1
ospf {
   area {
      demote carp
      # router 1
      interface em1
      # router 2
      interface em2
      # LAN, only announced if CARP master
      interface carp0

Monitoring and administration

Most run-time information is viewer using the ospfctl[4] program. When logged into the CLI as a normal user, the command route ospf followed by some arguments should be used. If root access is enabled, the bgpctl command may be issued directly from the shell with no argument restrictions.

admin> route ospf show nei
ID              Pri State        DeadTime Address         Iface     Uptime  1   FULL/OTHER   00:00:33  em2       06w4d01h  1   FULL/DR      00:00:33  em2       06w4d01h