pfSense » pfSense Packages

=================================================================================

Access-list case with no explict "deny any" on end of access-list "CONNECT" - bad

=================================================================================

## firewall B partial config

router ospf

 ospf router-id 192.168.24.1

 log-adjacency-changes detail

 auto-cost reference-bandwidth 40000

 timers throttle spf 200 1000 10000

 redistribute connected metric 20 route-map CONNECT

 passive-interface em1

 area 0.0.0.0 authentication message-digest

!

access-list CONNECT seq 10 permit 10.24.194.0/24

!

route-map CONNECT permit 10

 match ip address CONNECT

!

## OSPF routes showing on adjacent firewall A

somefirewall.somedomain.local# show ip route ospf

Codes: K - kernel route, C - connected, S - static, R - RIP,

       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,

       F - PBR, f - OpenFabric,

       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

O>* 10.24.10.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06

O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06       ### Allowed in redistribute ACL. This is fine.

O>* 10.24.224.0/29 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06       ### Connected route on firewall B not in OSPF or being redistributed. Should not appear!

O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:13:23          ### This is fine (firewall A LAN1)

O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:13:23        ### This is fine (firewall A LAN2)

O>* 10.255.195.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it

O>* 10.255.196.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it

O>* 10.255.198.2/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it

O>* 103.XXX.XXX.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06     ### firewall B's WAN2 route (PPP) - should not appear!

O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:13:23    ### This is fine (firewall B LAN)

O   192.168.57.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### firewall B's lab connectivity - should not appear!

O>* 194.XXX.XXX.28/30 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06    ### firewall B's WAN1 route - should not appear!!

================================================================================

Access-list case with explicit "deny any" on end of access-list "CONNECT" - fine

================================================================================

## firewall B partial config

router ospf

 ospf router-id 192.168.24.1

 log-adjacency-changes detail

 auto-cost reference-bandwidth 40000

 timers throttle spf 200 1000 10000

 redistribute connected metric 20 route-map CONNECT

 passive-interface em1

 area 0.0.0.0 authentication message-digest

!

access-list CONNECT seq 10 permit 10.24.194.0/24

access-list CONNECT seq 20 deny any                         ### note the addition of an explicit "deny any". Shouldn't need this. ACL should implicit deny at the end.

!

route-map CONNECT permit 10

 match ip address CONNECT

!

## OSPF routes showing on adjacent firewall A

somefirewall.somedomain.local# show ip route ospf

Codes: K - kernel route, C - connected, S - static, R - RIP,

       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,

       F - PBR, f - OpenFabric,

       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:22

O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:22:18

O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:22:18

O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:46

=================================================================================== 

Prefix-list case with no explicit "deny any" on end of prefix-list "CONNECT" - fine

===================================================================================

## firewall B partial config

router ospf

 ospf router-id 192.168.24.1

 log-adjacency-changes detail

 auto-cost reference-bandwidth 40000

 timers throttle spf 200 1000 10000

 redistribute connected metric 20 route-map CONNECT

 passive-interface em1

 area 0.0.0.0 authentication message-digest

!

ip prefix-list CONNECT seq 10 permit 10.24.194.0/24

!

route-map CONNECT permit 10

 match ip address prefix-list CONNECT

!

## OSPF routes showing on adjacent firewall A

somefirewall.somedomain.local# show ip route ospf

Codes: K - kernel route, C - connected, S - static, R - RIP,

       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,

       F - PBR, f - OpenFabric,

       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:01:53

O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:43:50

O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:43:50

O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:02:34