Mailing List Archive

Not telling anybody about a connected subnet
I've got an RFC-1918 intranet here with disparate hosts, some of which
still only have RIP v1 (e.g. the occasional very old Solaris or Windows
system kept for testing). A substantial number of hosts run Debian, I've
got Quagga on those and in general information about temporarily-created
subnets etc. (scenario: somebody creates a subnet for some VMs, or to
configure an attached device) propagates well.

However, I've got problems in the case of one router I'm currently
working on which has both some attached (RFC-1918) nodes providing
firewalling and tunnelling facilities, as well as a DMZ with an
externally-routable network range.

Is there a succinct way of saying to Quagga on that router "Listen, old
chap, it's great that you're reminding us of your RFC-1918 nodes, but
would you be so kind as to keep the existence of the DMZ to yourself
since I don't want anybody trying to access it directly"?

Incidentally, http://www.quagga.net/ appeared to be going to some sort
of "squatter" yesterday evening, I had a momentary panic thinking that
the project had gone covfefe.

--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[.Opinions above are the author's, not those of his employers or colleagues]
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users
Re: Not telling anybody about a connected subnet [ In reply to ]
On Apr 25, 2018, at 9:24 AM, markMLl <markMLl.qu@telemetry.co.uk> wrote:
> Is there a succinct way of saying to Quagga on that router "Listen, old chap, it's great that you're reminding us of your RFC-1918 nodes, but would you be so kind as to keep the existence of the DMZ to yourself since I don't want anybody trying to access it directly"?

Certainly, but you need to be a lot more explicit about things. Without way more details, the best I can offer is "look into distribute-list". Which may or may not be right, depending on the missing details.

/a
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users
Re: Not telling anybody about a connected subnet [ In reply to ]
On 25/04/18 20:39, Alexis Rosen wrote:
> On Apr 25, 2018, at 9:24 AM, markMLl <markMLl.qu@telemetry.co.uk> wrote:
>> Is there a succinct way of saying to Quagga on that router "Listen, old chap, it's great that you're reminding us of your RFC-1918 nodes, but would you be so kind as to keep the existence of the DMZ to yourself since I don't want anybody trying to access it directly"?
>
> Certainly, but you need to be a lot more explicit about things. Without way more details, the best I can offer is "look into distribute-list". Which may or may not be right, depending on the missing details.

I thought that distribute-list was to control traffic through
interfaces... 5.5 at https://www.quagga.net/docs/quagga.html
specifically talks about using it to apply an access list.

The configuration here is really very simple:

$ sudo ip address ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether b8:27:eb:ce:68:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fece:681a/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 00:50:b6:03:1e:82 brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:b6ff:fe03:1e82/64 scope link
valid_lft forever preferred_lft forever
4: eth1.200@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
link/ether 00:50:b6:03:1e:82 brd ff:ff:ff:ff:ff:ff
inet 172.27.200.5/24 brd 172.27.200.255 scope global eth1.200
valid_lft forever preferred_lft forever
inet6 fe80::250:b6ff:fe03:1e82/64 scope link
valid_lft forever preferred_lft forever
...
10: eth1.250@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
link/ether 00:50:b6:03:1e:82 brd ff:ff:ff:ff:ff:ff
inet x.y.z.t/28 brd x.y.z.T scope global eth1.250
valid_lft forever preferred_lft forever
inet6 fe80::250:b6ff:fe03:1e82/64 scope link
valid_lft forever preferred_lft forever


$ sudo ip route ls
default metric 1
nexthop via 172.27.200.1 dev eth1.200 weight 170
nexthop via 172.27.201.1 dev eth1.201 weight 85
x.y.z.t/28 dev eth1.250 proto kernel scope link src x.y.z.w
172.27.0.0/24 via 192.168.1.16 dev eth0 proto zebra metric 2
172.27.200.0/24 dev eth1.200 proto kernel scope link src 172.27.200.5
172.27.201.0/24 dev eth1.201 proto kernel scope link src 172.27.201.5
172.27.202.0/24 dev eth1.202 proto kernel scope link src 172.27.202.5
172.27.203.0/24 dev eth1.203 proto kernel scope link src 172.27.203.5
172.27.204.0/24 dev eth1.204 proto kernel scope link src 172.27.204.5
172.27.205.0/24 dev eth1.205 proto kernel scope link src 172.27.205.5
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.5


$ sudo cat /etc/quagga/ripd.conf
hostname XXXXXX
password YYYYYY

router rip
network eth0
no passive-interface eth0

redistribute connected

neighbor 192.168.1.1
# neighbor 192.168.1.128

log file /var/log/quagga/ripd.log


$ telnet localhost 2602
> show ip rip
Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP
Sub-codes:
(n) - normal, (s) - static, (d) - default, (r) - redistribute,
(i) - interface

Network Next Hop Metric From Tag Time
C(r) x.y.z.t/28 0.0.0.0 1 self 0
R(n) 172.27.0.0/24 192.168.1.16 2 192.168.1.16 0 02:55
C(r) 172.27.200.0/24 0.0.0.0 1 self 0
C(r) 172.27.201.0/24 0.0.0.0 1 self 0
C(r) 172.27.202.0/24 0.0.0.0 1 self 0
C(r) 172.27.203.0/24 0.0.0.0 1 self 0
C(r) 172.27.204.0/24 0.0.0.0 1 self 0
C(r) 172.27.205.0/24 0.0.0.0 1 self 0
C(i) 192.168.1.0/24 0.0.0.0 1 self 0


All I want is for that one route which I've edited to x.y.z.t to /not/
be published, since it's an external DMZ and I want everything else on
our intranet to use their usual gateways to route to it.

I'm on-list, no CC necessary.

--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[.Opinions above are the author's, not those of his employers or colleagues]
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users
Re: Not telling anybody about a connected subnet [ In reply to ]
Hum,

If I translate your request correctly:

You just want to filter what you are redistributing into RIP ( or other
protocol ), am I right ?

if yes, well it's just about applying a route-map on your redistribute
config that matches ( or not in your case ) some specific prefixes


This config is applied on my home quagga router , but didn't check if
it's properly working in RIP. Seems to work for BGP ;) and in my vendor
setup as well.


ip prefix-list PL_CONNECTED2RIP seq 5 permit 1.2.3.0/28

route-map RM_CONNECTED2RIP deny 10
   match ip address prefix-list PL_CONNECTED2RIP

router rip

   redistribute connected route-map RM_CONNECTED2RIP

Regards,

Nico

On 04/26/2018 11:53 AM, markMLl wrote:
> On 25/04/18 20:39, Alexis Rosen wrote:
>> On Apr 25, 2018, at 9:24 AM, markMLl <markMLl.qu@telemetry.co.uk> wrote:
>>> Is there a succinct way of saying to Quagga on that router "Listen,
>>> old chap, it's great that you're reminding us of your RFC-1918
>>> nodes, but would you be so kind as to keep the existence of the DMZ
>>> to yourself since I don't want anybody trying to access it directly"?
>>
>> Certainly, but you need to be a lot more explicit about things.
>> Without way more details, the best I can offer is "look into
>> distribute-list". Which may or may not be right, depending on the
>> missing details.
>
> I thought that distribute-list was to control traffic through
> interfaces... 5.5 at https://www.quagga.net/docs/quagga.html
> specifically talks about using it to apply an access list.
>
> The configuration here is really very simple:
>
> $ sudo ip address ls
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>     link/ether b8:27:eb:ce:68:1a brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0
>        valid_lft forever preferred_lft forever
>     inet6 fe80::ba27:ebff:fece:681a/64 scope link
>        valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
>     link/ether 00:50:b6:03:1e:82 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::250:b6ff:fe03:1e82/64 scope link
>        valid_lft forever preferred_lft forever
> 4: eth1.200@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
>     link/ether 00:50:b6:03:1e:82 brd ff:ff:ff:ff:ff:ff
>     inet 172.27.200.5/24 brd 172.27.200.255 scope global eth1.200
>        valid_lft forever preferred_lft forever
>     inet6 fe80::250:b6ff:fe03:1e82/64 scope link
>        valid_lft forever preferred_lft forever
> ...
> 10: eth1.250@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
>     link/ether 00:50:b6:03:1e:82 brd ff:ff:ff:ff:ff:ff
>     inet x.y.z.t/28 brd x.y.z.T scope global eth1.250
>        valid_lft forever preferred_lft forever
>     inet6 fe80::250:b6ff:fe03:1e82/64 scope link
>        valid_lft forever preferred_lft forever
>
>
> $ sudo ip route ls
> default  metric 1
>         nexthop via 172.27.200.1  dev eth1.200 weight 170
>         nexthop via 172.27.201.1  dev eth1.201 weight 85
> x.y.z.t/28 dev eth1.250  proto kernel  scope link  src x.y.z.w
> 172.27.0.0/24 via 192.168.1.16 dev eth0  proto zebra  metric 2
> 172.27.200.0/24 dev eth1.200  proto kernel  scope link  src 172.27.200.5
> 172.27.201.0/24 dev eth1.201  proto kernel  scope link  src 172.27.201.5
> 172.27.202.0/24 dev eth1.202  proto kernel  scope link  src 172.27.202.5
> 172.27.203.0/24 dev eth1.203  proto kernel  scope link  src 172.27.203.5
> 172.27.204.0/24 dev eth1.204  proto kernel  scope link  src 172.27.204.5
> 172.27.205.0/24 dev eth1.205  proto kernel  scope link  src 172.27.205.5
> 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.5
>
>
> $ sudo cat /etc/quagga/ripd.conf
> hostname XXXXXX
> password YYYYYY
>
> router rip
> network eth0
> no passive-interface eth0
>
> redistribute connected
>
> neighbor 192.168.1.1
> # neighbor 192.168.1.128
>
> log file /var/log/quagga/ripd.log
>
>
> $ telnet localhost 2602
> > show ip rip
> Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP
> Sub-codes:
>       (n) - normal, (s) - static, (d) - default, (r) - redistribute,
>       (i) - interface
>
>      Network            Next Hop         Metric From Tag Time
> C(r) x.y.z.t/28         0.0.0.0               1 self 0
> R(n) 172.27.0.0/24      192.168.1.16          2 192.168.1.16 0 02:55
> C(r) 172.27.200.0/24    0.0.0.0               1 self 0
> C(r) 172.27.201.0/24    0.0.0.0               1 self 0
> C(r) 172.27.202.0/24    0.0.0.0               1 self 0
> C(r) 172.27.203.0/24    0.0.0.0               1 self 0
> C(r) 172.27.204.0/24    0.0.0.0               1 self 0
> C(r) 172.27.205.0/24    0.0.0.0               1 self 0
> C(i) 192.168.1.0/24     0.0.0.0               1 self 0
>
>
> All I want is for that one route which I've edited to x.y.z.t to /not/
> be published, since it's an external DMZ and I want everything else on
> our intranet to use their usual gateways to route to it.
>
> I'm on-list, no CC necessary.
>


_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users
Re: Not telling anybody about a connected subnet [ In reply to ]
On 28/04/18 20:55, nico wrote:
> Hum,
> If I translate your request correctly:
> You just want to filter what you are redistributing into RIP ( or other
> protocol ), am I right ?
> if yes, well it's just about applying a route-map on your redistribute
> config that matches ( or not in your case ) some specific prefixes
>
> This config is applied on my home quagga router , but didn't check if
> it's properly working in RIP. Seems to work for BGP ;) and in my vendor
> setup as well.
>
> ip prefix-list PL_CONNECTED2RIP seq 5 permit 1.2.3.0/28
> route-map RM_CONNECTED2RIP deny 10    match ip address prefix-list
> PL_CONNECTED2RIP
> router rip
>    redistribute connected route-map RM_CONNECTED2RIP

Thanks Nico, I'll experiment with that presently.

--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[.Opinions above are the author's, not those of his employers or colleagues]
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users