From 65832d985ebb99ed6b9bff11f0b72649d3754645 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Fri, 11 Jul 2014 17:10:31 +0000 Subject: my pleasure to move bgpd.conf to examples. ok theo --- etc/Makefile | 5 +-- etc/bgpd.conf | 115 ------------------------------------------------- etc/changelist | 4 +- etc/examples/bgpd.conf | 115 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 119 insertions(+), 120 deletions(-) delete mode 100644 etc/bgpd.conf create mode 100644 etc/examples/bgpd.conf diff --git a/etc/Makefile b/etc/Makefile index dcaf0ac176b..89bcb728d27 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.358 2014/07/11 16:59:03 deraadt Exp $ +# $OpenBSD: Makefile,v 1.359 2014/07/11 17:10:30 henning Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= Canada/Mountain @@ -40,7 +40,7 @@ BIN1= changelist csh.cshrc csh.login csh.logout daily dhcpd.conf \ etc.${MACHINE}/disktab dhclient.conf mailer.conf ntpd.conf \ moduli pf.os sensorsd.conf mixerctl.conf -EXAMPLES=chio.conf dvmrpd.conf hostapd.conf ifstated.conf ldpd.conf \ +EXAMPLES=bgpd.conf chio.conf dvmrpd.conf hostapd.conf ifstated.conf ldpd.conf \ ospf6d.conf ospfd.conf .if ${MACHINE} != "aviion" @@ -111,7 +111,6 @@ distribution-etc-root-var: distrib-dirs ${INSTALL} -c -o root -g crontab -m 600 crontab ${DESTDIR}/var/cron/tabs/root ${INSTALL} -c -o root -g wheel -m 600 master.passwd ${DESTDIR}/etc pwd_mkdb -p -d ${DESTDIR}/etc /etc/master.passwd - ${INSTALL} -c -o root -g wheel -m 600 bgpd.conf ${DESTDIR}/etc ${INSTALL} -c -o root -g wheel -m 600 ripd.conf ${DESTDIR}/etc ${INSTALL} -c -o root -g wheel -m 600 pf.conf ${DESTDIR}/etc ${INSTALL} -c -o root -g wheel -m 600 relayd.conf ${DESTDIR}/etc diff --git a/etc/bgpd.conf b/etc/bgpd.conf deleted file mode 100644 index 3ad21b9b1d8..00000000000 --- a/etc/bgpd.conf +++ /dev/null @@ -1,115 +0,0 @@ -# $OpenBSD: bgpd.conf,v 1.16 2014/02/15 00:18:07 pelikan Exp $ -# sample bgpd configuration file -# see bgpd.conf(5) - -#macros -peer1="10.1.0.2" -peer2="10.1.0.3" - -# global configuration -AS 65001 -router-id 10.0.0.1 -# holdtime 180 -# holdtime min 3 -# listen on 127.0.0.1 -# listen on ::1 -# fib-update no -# route-collector no -# log updates -# network 10.0.1.0/24 - -# restricted socket for bgplg(8) -# socket "/var/www/run/bgpd.rsock" restricted - -# neighbors and peers -group "peering AS65002" { - remote-as 65002 - neighbor $peer1 { - descr "AS 65001 peer 1" - announce self - tcp md5sig password mekmitasdigoat - } - neighbor $peer2 { - descr "AS 65001 peer 2" - announce all - local-address 10.0.0.8 - ipsec esp ike - } -} - -group "peering AS65042" { - descr "peering AS 65042" - local-address 10.0.0.8 - ipsec ah ike - neighbor 10.2.0.1 - neighbor 10.2.0.2 -} - -neighbor 10.0.1.0 { - remote-as 65003 - descr upstream - multihop 2 - local-address 10.0.0.8 - passive - holdtime 180 - holdtime min 3 - announce none - tcp md5sig key deadbeef -} - -neighbor 10.0.2.0 { - remote-as 65004 - descr upstream2 - local-address 10.0.0.8 - ipsec ah ike -} - -neighbor 10.0.0.0/24 { - descr "template for local peers" -} - -neighbor 10.2.1.1 { - remote-as 65023 - local-address 10.0.0.8 - ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \ - aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e - ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \ - aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b -} - -# filter out prefixes longer than 24 or shorter than 8 bits for IPv4 -# and longer than 48 or shorter than 16 bits for IPv6. -deny from any -allow from any inet prefixlen 8 - 24 -allow from any inet6 prefixlen 16 - 48 - -# accept a default route (since the previous rule blocks this) -#allow from any prefix 0.0.0.0/0 -#allow from any prefix ::/0 - -# filter bogus networks according to RFC5735 -deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122] -deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918] -deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598] -deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122] -deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927] -deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918] -deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737] -deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918] -deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544] -deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737] -deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737] -deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast -deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved - -# filter bogus IPv6 networks according to IANA -deny from any prefix ::/8 prefixlen >= 8 -deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666] -deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180] -deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] -deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] -deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone -deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast -deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast -deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast -deny from any prefix ff00::/8 prefixlen >= 8 # multicast diff --git a/etc/changelist b/etc/changelist index 3bf44bc5dd7..b9fc5c90ce7 100644 --- a/etc/changelist +++ b/etc/changelist @@ -1,4 +1,4 @@ -# $OpenBSD: changelist,v 1.88 2014/07/11 16:59:03 deraadt Exp $ +# $OpenBSD: changelist,v 1.89 2014/07/11 17:10:30 henning Exp $ # # List of files which the security script backs up and checks # for modifications. @@ -10,7 +10,7 @@ /etc/Distfile /etc/adduser.conf /etc/adduser.message -/etc/bgpd.conf ++/etc/bgpd.conf /etc/boot.conf /etc/bootparams /etc/changelist diff --git a/etc/examples/bgpd.conf b/etc/examples/bgpd.conf new file mode 100644 index 00000000000..d5fe6672e64 --- /dev/null +++ b/etc/examples/bgpd.conf @@ -0,0 +1,115 @@ +# $OpenBSD: bgpd.conf,v 1.1 2014/07/11 17:10:30 henning Exp $ +# sample bgpd configuration file +# see bgpd.conf(5) + +#macros +peer1="10.1.0.2" +peer2="10.1.0.3" + +# global configuration +AS 65001 +router-id 10.0.0.1 +# holdtime 180 +# holdtime min 3 +# listen on 127.0.0.1 +# listen on ::1 +# fib-update no +# route-collector no +# log updates +# network 10.0.1.0/24 + +# restricted socket for bgplg(8) +# socket "/var/www/run/bgpd.rsock" restricted + +# neighbors and peers +group "peering AS65002" { + remote-as 65002 + neighbor $peer1 { + descr "AS 65001 peer 1" + announce self + tcp md5sig password mekmitasdigoat + } + neighbor $peer2 { + descr "AS 65001 peer 2" + announce all + local-address 10.0.0.8 + ipsec esp ike + } +} + +group "peering AS65042" { + descr "peering AS 65042" + local-address 10.0.0.8 + ipsec ah ike + neighbor 10.2.0.1 + neighbor 10.2.0.2 +} + +neighbor 10.0.1.0 { + remote-as 65003 + descr upstream + multihop 2 + local-address 10.0.0.8 + passive + holdtime 180 + holdtime min 3 + announce none + tcp md5sig key deadbeef +} + +neighbor 10.0.2.0 { + remote-as 65004 + descr upstream2 + local-address 10.0.0.8 + ipsec ah ike +} + +neighbor 10.0.0.0/24 { + descr "template for local peers" +} + +neighbor 10.2.1.1 { + remote-as 65023 + local-address 10.0.0.8 + ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \ + aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e + ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \ + aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b +} + +# filter out prefixes longer than 24 or shorter than 8 bits for IPv4 +# and longer than 48 or shorter than 16 bits for IPv6. +deny from any +allow from any inet prefixlen 8 - 24 +allow from any inet6 prefixlen 16 - 48 + +# accept a default route (since the previous rule blocks this) +#allow from any prefix 0.0.0.0/0 +#allow from any prefix ::/0 + +# filter bogus networks according to RFC5735 +deny from any prefix 0.0.0.0/8 prefixlen >= 8 # 'this' network [RFC1122] +deny from any prefix 10.0.0.0/8 prefixlen >= 8 # private space [RFC1918] +deny from any prefix 100.64.0.0/10 prefixlen >= 10 # CGN Shared [RFC6598] +deny from any prefix 127.0.0.0/8 prefixlen >= 8 # localhost [RFC1122] +deny from any prefix 169.254.0.0/16 prefixlen >= 16 # link local [RFC3927] +deny from any prefix 172.16.0.0/12 prefixlen >= 12 # private space [RFC1918] +deny from any prefix 192.0.2.0/24 prefixlen >= 24 # TEST-NET-1 [RFC5737] +deny from any prefix 192.168.0.0/16 prefixlen >= 16 # private space [RFC1918] +deny from any prefix 198.18.0.0/15 prefixlen >= 15 # benchmarking [RFC2544] +deny from any prefix 198.51.100.0/24 prefixlen >= 24 # TEST-NET-2 [RFC5737] +deny from any prefix 203.0.113.0/24 prefixlen >= 24 # TEST-NET-3 [RFC5737] +deny from any prefix 224.0.0.0/4 prefixlen >= 4 # multicast +deny from any prefix 240.0.0.0/4 prefixlen >= 4 # reserved + +# filter bogus IPv6 networks according to IANA +deny from any prefix ::/8 prefixlen >= 8 +deny from any prefix 0100::/64 prefixlen >= 64 # Discard-Only [RFC6666] +deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180] +deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843] +deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849] +deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone +deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast +deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast +deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast +deny from any prefix ff00::/8 prefixlen >= 8 # multicast -- cgit v1.2.3