blob: a55bcd4874bdf515428aef0cf28b1e9d810c17e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
# $OpenBSD: bgpd.conf,v 1.12 2011/01/19 07:36:40 claudio Exp $
# sample bgpd configuration file
# see bgpd.conf(5)
#macros
peer1="10.1.0.2"
peer2="10.1.0.3"
# global configuration
AS 65001
router-id 10.0.0.1
# holdtime 180
# holdtime min 3
# listen on 127.0.0.1
# listen on ::1
# fib-update no
# route-collector no
# log updates
# network 10.0.1.0/24
# restricted socket for bgplg(8)
# socket "/var/www/logs/bgpd.rsock" restricted
# neighbors and peers
group "peering AS65002" {
remote-as 65002
neighbor $peer1 {
descr "AS 65001 peer 1"
announce self
tcp md5sig password mekmitasdigoat
}
neighbor $peer2 {
descr "AS 65001 peer 2"
announce all
local-address 10.0.0.8
ipsec esp ike
}
}
group "peering AS65042" {
descr "peering AS 65042"
local-address 10.0.0.8
ipsec ah ike
neighbor 10.2.0.1
neighbor 10.2.0.2
}
neighbor 10.0.1.0 {
remote-as 65003
descr upstream
multihop 2
local-address 10.0.0.8
passive
holdtime 180
holdtime min 3
announce none
tcp md5sig key deadbeef
}
neighbor 10.0.2.0 {
remote-as 65004
descr upstream2
local-address 10.0.0.8
ipsec ah ike
}
neighbor 10.0.0.0/24 {
descr "template for local peers"
}
neighbor 10.2.1.1 {
remote-as 65023
local-address 10.0.0.8
ipsec esp in spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
}
# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
deny from any
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48
# accept a default route (since the previous rule blocks this)
#allow from any prefix 0.0.0.0/0
# filter bogus networks according to RFC5735
deny from any prefix 0.0.0.0/8 prefixlen >= 8
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 127.0.0.0/8 prefixlen >= 8
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 198.18.0.0/15 prefixlen >= 15
deny from any prefix 198.51.100.0/24 prefixlen >= 24
deny from any prefix 203.0.113.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4
# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8 # multicast
|
