dn42/wiki
1
Fork 0
mirror of https://git.dn42.dev/wiki/wiki.git synced 2025-02-24 18:35:54 +01:00
Code Releases Activity

Add basic filter rules

Browse Source
This commit is contained in:
dn42 wiki 2020-03-01 17:43:02 +00:00
parent c7f2e7cdc9
commit c10f1753f6
1 changed files with 39 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
howto/OpenBGPD.md
View File

@ -12,9 +12,9 @@ The goal is to have a small, yet complete setup for all peers with ROA validatio
As per the manual, configuration is divided into logical sections; [`/etc/examples/bgpd.conf`](http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/etc/examples/bgpd.conf?rev=HEAD&content-type=text/plain&only_with_tag=MAIN) is a complete and commented example which this guide is roughly based on.
By default, **bgpd** listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.
By default, [`bgpd(8)`](http://man.openbsd.org/bgpd.8) listens on all local addresses (on the current default [`routing domain`](http://man.openbsd.org/rdomain.4)), but this guide explicitly listens on the configured transfer ULA only for each peer to better illustrate of this setup.
## local peer
## local host
Information such as ASN, router ID and allocated networks are required:
```
# macros
@ -42,17 +42,47 @@ network prefix-set mynetworks set large-community $ASN:1:1
For each neighbor its ASN and transfer ULA is required.
An optional description is provided such that [`bgpctl`](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
```
$peerA-local="fd00:12:34:A::1"
$peerA-remote="fd00:12:34:A::2"
$peerA-ASN="4242425678"
# peer A, transport over IPSec/GRE
$A-local="fd00:12:34:A::1"
$A-remote="fd00:12:34:A::2"
$A-ASN="4242425678"
listen on $peerA-local
neighbor $peerA-remote {
remote-as $peerA-ASN
descr "peerA"
listen on $A-local
neighbor $A-remote {
remote-as $A-ASN
descr "A"
}
```
## filter rules
**bgpd** blocks all BGP __UPDATE__ messages by default.
The filter rules are evaluated in sequential order, form first to last.
The last matching allow or deny rule decides what action is taken.
Start off with basic protection and sanity rules:
```
# deny more-specifics of our own originated prefixes
deny quick from ebgp prefix-set mynetworks or-longer
# filter out too long paths, establish more peerings instead
deny quick from any max-as-len 8
```
`quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
Next IBGP as well as our own __UPDATES__ are allowed:
```
# IBGP: allow all updates to and from our IBGP neighbors
allow from ibgp
allow to ibgp
# Outbound EBGP: only allow self originated networks to ebgp peers
# Don't leak any routes from upstream or peering sessions. This is done
# by checking for routes that are tagged with the large-community $ASN:1:1
allow to ebgp prefix-set kn large-community $ASN:1:1
```
# ROA
# Looking glass