Skip to main content

Ports requirement for routing protocol to work behind firewall.

Port to allow Routing protocol to work behind firewall.

I.Enabling RIP



A. RIP version 1



RIP runs over UDP port 520. It sends and receives all messages on this port; all messages are sent to the local broadcast address. To enable RIP, add a rule to allow all a firewall's neighbors to send messages to UDP port 520 on the local broadcast network. RIP is a predefined service in the Security Gateway GUI.



Source Destination Service Action Track Install On
Neighbor 1 Network 1 Broadcast RIP Accept Gateways
Neighbor 2 Network 2 Broadcast RIP Accept Gateways
Neighbor 3 Network 3 Broadcast RIP Accept Gateways

B. RIP version 2


RIPv2 can use either the RIPv1 broadcast transport mechanism, or a multicast transport (RIP2-ROUTERS.MCAST.NET, 224.0.0.9). To enable RIPv2 in multicast mode, create a workstation object for the multicast address, and add the following rules to your rule base:

Source Destination Service Action Track Install On
Neighbors rip2-routers.mcast.net RIP Accept Gateways

Note that RIP can also be enabled via the Rulebase Properties screen.

II.Enabling OSPF


Your OSPF rule would look like this. The destination address will always be the OSPF routers themselves, as well as the multicast addresses of 224.0.0.5 and 224.0.0.6:

Create a workstation object of 224.0.0.5 and call it OSPF-ALL.MCAST.NET

Create another workstation object of 224.0.0.6 and call it OSPF-DSIG.MCAST.NET

Source Destination Service Action Track Install On
OSPF Routers + Firewalls OSPF-ALL.MCAST.NET
OSPF-DSIG.MCAST.NET
OSPF Routers + Firewalls
OSPF
IGMP
Accept Gateways

III.IGRP


Like OSPF, IGRP runs on top of IP; IGRP is IP protocol 9. IGRP is a predefined service in the Security Gateway GUI. You should define a group of neighbor routers that participate in IGRP routing, and accept that service to the Security Gateway:

Source Destination Service Action Track Install On
Neighbors firewall IGRP Accept Gateways

IV.BGP


BGP runs over TCP port 179. One TCP connection is opened for each BGP peer. Each peer must be allowed to send BGP messages over its connection to the Security Gateway. BGP peers should also be grouped together to allow them as a group with the following rule:

Source Destination Service Action Track Install On
Peers
Firewall
Firewall
Peers
BGP Accept Gateways

V. PIM


To Allow Sparse or Dense Mode PIM Traffic: Create a workstation object of 224.0.0.13 and call it 'PIM.MCAST.NET'. PIM is a service that is not defined in the CheckPoint Security Gateway. Create a service using the Policy GUI Editor as 'Other' and call it 'PIM'. IP protocol should be set to 103. Leave the other values blank.

Then create the following rule at the very top of the rulebase:

Source Destination Service Action Track Install On
firewalls PIM.MCAST.NET PIM
IGMP
Accept Gateways


Push a new policy to Security Gateway modules once this is done.

Comments

Popular posts from this blog

Install Google Playstore on Pendo Pad 4.0 and rooting the device.

Coles selling the Pendo 7" Android Pad running Ice Cream Sandwich 4.03, however by default it does not come with Google Play Store. Rather it has the China "store" GetJar, which only have limited Apps available. In order to get the  Google Play store install on device. Firstly you have to root the device to gain root access. 1. Download unlockroot from : www.unlockroot.com/ 2. Connect the device to a windows PC, install and run the program. Make sure window machine has the necessary driver to access android pad.  If device driver is not available. Download and install the driver from: http://developer.android.com/tools/extras/oem-usb.html Make sure set the android device to USB Debugging mode to allow the unlockroot to root the device: Enable the USB debugging mode from : Setting -> Developer Options -> USB debugging Click on Root to root the device. After that, install the google play store by downloading it and transfer it to

Linux command to install software for various Distro

Ubuntu (*buntu, Mint linux) Apt-get install apt-get update apt-get remove apt-get dist-upgrade apt-get purge Fedora/RHEL/CentOS yum install yum update yum remove Opensuse yast2 --install yast2 --remove zypper update Freebsd  pkg_add pkg_delete Gentoo emerge package # Install emerge -C package # Remove a package emerge -s keyword # Search for packages (package names only) emerge -u package # update the package Arch pacman -U package.pkg.tar.xz # Local package install pacman -Syy # Refresh package databases pacman -Syu # Update installed packages pacman -S package # Install package pacman -R package # Remove package

How to update -grub from live-CD

 In order to update the grub configuration of the machine that you might be misconfigured and unable to boot up properly you could use live CD to boot into the machine, however, even if you are able to update the /etc/default/grub file, you will need to perform the "sudo update-grub" command to effect the change. if you are using Live CD to login, you need to perform the following steps: First mount the root directory in question for my case it is my /dev/sda so it is it will be /dev/sda2 as mostly sda1 is for the /boot/efi partition. You will mount the root partition as follow: sudo mount /dev/sda2 /mnt Then mount a few more directories that are needed: sudo mount --bind /dev /mnt/dev sudo mount --bind /sys /mnt/sys sudo mount --bind /proc /mnt/proc How can you tell if you have a boot partition? Once you have your Ubuntu partition mounted, open  /mnt/etc/fstab . If you see an entry for  /boot , note which device it is pointing to ( /dev/sda4  maybe?). This is the one you hav