OSPF and UFW
It's been a hot minute since I last posted and I figured this was worth sharing. There's been plenty since the last post, but time has not always been on my side. Today it is!
Short and sweet. I have a VM being used as an OSPF router with two interfaces. I needed to allow traffic to traverse the VM in both directions while maintaining my standard UFW configuration. The commands look something like this:
1. sudo apt install ufw
2. sudo ufw disable
3. sudo ufw default allow forward
4. sudo ufw allow from 224.0.0.0/24
5. sudo ufw allow in on eth0 from <uplink ip>
6. sudo ufw allow in on eth1 from <downlink ip>
7. sudo ufw enable
1. Install UFW
2. Disable the firewall for good measure, especially if you're doing something silly like testing in production :-/
3. Set the default behaviour of forwarded/routed traffic to ALLOW (it's DROP by default)
(You can also use: sudo ufw default allow routed - routed is an alias of forward)
4. Allow the multicast subnet for OSPF
No ownership is implied. Other dynamic routing protocols use the same multicast range.
5. Allow traffic bound for eth0 from the IP Address of the upstream router (to send and receive routes)
6. Allow traffic bound for eth1 from the IP Address of the downstream router (to send and receive routes)
If you just have endpoints such as servers or workstations talking to eth1, then you don't need to enter this command.
7. Enable the firewall.
There are plenty of other solutions out there for modifying configuration files and such, but if you're going to do that, you might as well remove UFW and use IPTables directly.
That's all folks!
Note 1. This does not break the default INPUT rule, which in my case was and still is DENY. The above commands allow traffic to traverse the VM firewall, they do not allow external access VM. i.e. If I tried to SSH in on port 22 to the IP Address on eth0, UFW will drop my request by default, until I specifically set an explicit allow rule.
Note 2. This is not an example of how to setup NAT/Masquerading. This is an example of how to forward traffic between two interfaces where the source and destination is facilitated by OSPF instead of using forward rules in UFW or entries to the Forward table in IPTables. 