AG!NK

OpenBSD – BGP Basic Configuration

Written by –

@ginK

Step 1 – Create inteface vlan

# vi /etc/hostname.re1
descr "ANDIRA_BGP"
up

# vi /etc/hostname.vlan3529
vlan 3529 vlandev re1 
descr "ANDIRA_IIX"
inet 42.62.176.194/30 
up

# vi /etc/hostname.vlan3528
vlan 3528 vlandev re1 
descr "ANDIRA_INTL"
inet 42.62.176.190/30 
up

# vi /etc/hostname.re2
descr "MWP_CORE" 
inet 103.15.143.1/29
up

# vi /etc/hostname.lo0
descr "Loopback" 
inet 127.0.0.1/8
inet alias 103.15.143.249 255.255.255.255 NONE
up
!route add default -interface 103.15.143.249

# vi /etc/hostname.lo1
descr "Lubang_Kematian" 
inet 127.0.0.2/8
up

Step 2 – sysctl. conf

# vi /etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
net.inet.ip.multipath=1 # 1=Enable IP multipath routing

net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 multicast packets
net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing

net.inet.etherip.allow=1 # 1=Enable the Ethernet-over-IP protocol
net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
net.inet.carp.log=1 # log level of carp(4) info, default 2

kern.splassert=2 # 2=Enable with verbose error messages
kern.nosuidcoredump=2 # 2=Put suid coredumps in /var/crash

kern.bufcachepercent=50
kern.maxclusters=128000

Step 3 – resolv.conf

# vi /etc/resolv.conf
lookup file bind
nameserver 8.8.8.8
nameserver 8.8.4.4

Step 4 – rc.conf.local

# vi /etc/rc.conf.local
ntpd_flags= # enabled during install
bgpd_flags=""
#ldpd_flags=""
#ospfd_flags=""
snmpd_flags=""
#pkg_scripts="symon"
#symon_flags="-u"

Step 5 – snmpd.conf

# vi /etc/snmpd.conf
# $OpenBSD: snmpd.conf,v 1.3 2012/09/18 09:57:49 reyk Exp $

listen_addr="127.0.0.1"

# Restrict daemon to listen on localhost only
listen on $listen_addr
listen on 10.10.10.1

# Specify a number of trap receivers
#trap receiver 10.10.10.13

# Adjust the local system information
system contact "[email protected]"
system description "Grahawave Router"
system location "Garut, Bandung, Indonesia"
system services 74
read-only community monitor

# Provide static user-defined SNMP OIDs
oid 1.3.6.1.4.1.30155.42.3.1 name testStringValue read-only string "Test"
oid 1.3.6.1.4.1.30155.42.3.4 name testIntValue read-write integer 1

# Enable SNMPv3 USM with authentication, encryption and two defined users
#seclevel enc
#user "user1" authkey "password123" enc aes enckey "321drowssap"
#user "user2" authkey "password456" enckey "654drowssap"

Step 6 – bgpd.conf

# vi /etc/bgpd.conf
#====================================================================
# Title: Router Core 
# Location: Grahawave Garut
# Date: 14 Januari 2014
# Filename: /etc/bgpd.conf
# Author: Aditya Maulana 
# Company: aaGINK 
#====================================================================

#--- macros
andira_int ="43.62.176.189"
andira_iix ="43.63.176.193"

ASANDIRA ="55690"
ASMWP ="131733"
ASNICE ="7717"
ASIIX ="7597"

AS $ASANDIRA
router-id 103.15.143.249
listen on 127.0.0.1
listen on 103.15.143.1
listen on 103.15.143.249

fib-update yes
nexthop qualify via bgp
log updates

network 103.15.143.249/32 set localpref 1000 # SELF/LOOPBACK
network 0.0.0.0/0
network 103.15.143.0/24 #set localpref 500
network 103.15.143.0/29 #set localpref 500

group "ANDIRA" {
remote-as $ASANDIRA
descr ANDIRA_BGP
announce all
announce capabilities yes
softreconfig in yes
softreconfig out yes
multihop 2
neighbor $andira_int {
descr "ANDIRA_INT"
}
neighbor $andira_iix{
descr "ANDIRA_IIX"
}
}

#--- DEFAULT BLOCK
deny to any
deny from any

#--- INTERNAL
deny to {group "ANDIRA"} inet prefixlen > 24

#--- TERIMA PREFIX FROM UPSTREAM
allow from {group "ANDIRA"} inet prefixlen 8 - 24

#--- do not accept a default route
deny from any prefix 0.0.0.0/0

#--- filter bogus networks
deny from any prefix 10.0.0.0/8 prefixlen >= 8
deny from any prefix 172.16.0.0/12 prefixlen >= 12
deny from any prefix 192.168.0.0/16 prefixlen >= 16
deny from any prefix 169.254.0.0/16 prefixlen >= 16
deny from any prefix 192.0.2.0/24 prefixlen >= 24
deny from any prefix 224.0.0.0/4 prefixlen >= 4
deny from any prefix 240.0.0.0/4 prefixlen >= 4

# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 2001:2::/48 prefixlen >= 48 # BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28 # ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32 # docu range [RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16 # old 6bone
deny from any prefix fc00::/7 prefixlen >= 7 # unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10 # link local unicast
deny from any prefix fec0::/10 prefixlen >= 10 # old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8 # multicast

#--- KIRIM PREFIX KE ANDIRA
allow to {group "ANDIRA"} inet prefix {103.15.143.0/24} prefixlen = 24 set {localpref 1000}

#--- PREFIX FILTER IIX agar tidak bocor ke International
match from $andira_iix\
transit-as {$ASNICE $ASIIX}\
inet prefixlen 8 - 24\
set {rtlabel iix pftable "local" localpref 650 nexthop $andira_iix}

#--- MULTI ROUTING TABLE 
match from {group "ANDIRA"} transit-as {$ASANDIRA} inet prefixlen 8 - 24 set {rtlabel internet pftable "internet" localpref 500}
match from {group "ANDIRA"} transit-as {$ASNICE $ASIIX} inet prefixlen 8 - 24 set {rtlabel iix pftable "local" localpref 650}

# vi /etc/bgppeers.table
42.62.176.189 # ANDIRA INTL
42.62.176.193 # ANDIRA IIX

Step 7 – rfc1918.table

# vi /etc/rfc1918.table
#---- http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/3

Step 8 – pf.conf

# vi /etc/pf.conf
#====================================================================
# Title: Router Core 
# Location: Grahawave Garut
# Date: 14 Januari 2014
# Filename: /etc/pf.conf
# Author: Aditya Maulana 
# Company: aaGINK 
#====================================================================

iix_if ="vlan3529" # ANDIRA IIX
int_if ="vlan3528" # ANDIRA INTERNATIONAL
core_if ="re2"
core_ip ="103.15.143.1"
#icmp_types = "{ echoreq, unreach }"
SloppyState = "keep state (sloppy source-track global) flags any"
LocalContent = "{<graha_public> <local> route iix}"

table <local> counters persist
table <internet> counters persist
table <graha_public> counters const {103.15.143.0/24}
table <bruteforce> persist
table <bgppeers> counters persist file "/etc/bgppeers.table"
table <rfc1918> counters persist file "/etc/rfc1918.table"

set skip on {lo pfsync enc0}
set ruleset-optimization basic
set optimization aggressive
set block-policy drop
set limit {states 1000000, src-nodes 800000, table-entries 1500000}
set reassemble yes no-df

#--- Bandwidth Manager
include "/etc/queue.conf"

#-----------------------------------------------------
match in on {$iix_if $int_if} scrub (no-df max-mss 1440)

#--- Flooding...Pergi ke lubang kematian 
#match in log quick on $core_if inet proto udp from 210.23.68.7 to any port 6667 rdr-to lo1:0

#-- RDR SNMP
pass in quick log on $core_if inet proto udp from <graha_public> to $core_ip port 161 rdr-to 127.0.0.1 port 161
pass in quick log on $core_if inet proto {tcp udp} from <graha_public> to $core_ip port 2100 rdr-to 127.0.0.1 port 2100

#--- WAJIB ADA
antispoof for {$iix_if $int_if $core_if}
block in log all
block inet6 all
block quick inet from <bruteforce>
pass from self

#--- PASS NECESSARY PROTOCOL
pass quick on {lo} all
#pass quick on {$core_if} from <graha_public>
#pass quick on {$core_if} to <graha_public>

#--- DNS Query
pass quick log on\
{$core_if $iix_if int_if}\
inet proto {tcp udp} to any port domain

#--- SSH
pass inet proto tcp to any port ssh\
keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

#--- WEB
#pass in quick log on $core_if inet proto tcp from any to $core_ip port {http, https}

#--- BGP PEERING
pass in quick on $core_if proto tcp from\
<bgppeers> to ($core_if:0) port bgp set queue (core_hipri core_ack)
pass in quick on $core_if proto tcp from\
<bgppeers> port bgp to ($core_if:0) set queue (core_hipri core_ack)

pass in quick on $iix_if proto tcp from\
<bgppeers> to ($iix_if:0) port bgp set queue (iix_hipri iix_ack)
pass in quick on $iix_if proto tcp from\
<bgppeers> port bgp to ($iix_if:0) set queue (iix_hipri iix_ack)

pass in quick on $int_if proto tcp from\
<bgppeers> to ($int_if:0) port bgp set queue (int_hipri iix_ack)
pass in quick on $int_if proto tcp from\
<bgppeers> port bgp to ($int_if:0) set queue (int_hipri int_ack)

pass out quick on $core_if proto tcp from\
($core_if:0) to any port bgp set queue (core_hipri core_ack) 
pass out quick on $core_if proto tcp from\
($core_if:0) port bgp set queue (core_hipri core_ack)

pass out quick on $iix_if proto tcp from\
($iix_if:0) to any port bgp set queue (iix_hipri iix_ack)
pass out quick on $iix_if proto tcp from\
($iix_if:0) port bgp set queue (iix_hipri iix_ack)

pass out quick on $int_if proto tcp from\
($int_if:0) to any port bgp set queue (int_hipri int_ack)
pass out quick on $int_if proto tcp from\
($int_if:0) port bgp set queue (int_hipri int_ack)

#--- REDIRECT TO NIRVANA
pass in quick log on {$core_if $iix_if $int_if} to <rfc1918> rdr-to lo1:0

#--- ICMP
pass in quick log on $core_if\
inet proto icmp tag ICMP $SloppyState set queue core_icmp
pass in quick log on $core_if\
inet proto udp from any to port 33433 >< 33626 tag ICMP\
$SloppyState set queue core_icmp
pass in quick log on $iix_if\
inet proto icmp tag ICMP $SloppyState set queue iix_icmp
pass in quick log on $iix_if\
inet proto udp from any to port 33433 >< 33626 tag ICMP\
$SloppyState set queue iix_icmp
pass in quick log on $int_if\
inet proto icmp tag ICMP $SloppyState set queue int_icmp
pass in quick log on $int_if\
inet proto udp from any to port 33433 >< 33626 tag ICMP\
$SloppyState set queue int_icmp
pass out quick log on $core_if\
inet tagged ICMP $SloppyState set queue core_icmp
pass out quick log on $core_if\
inet proto icmp from self $SloppyState set queue core_icmp
pass out quick log on $core_if\
inet proto udp from self to port 33433 >< 33626\
$SloppyState set queue core_icmp
pass out quick log on $iix_if\
inet tagged ICMP $SloppyState set queue iix_icmp
pass out quick log on $iix_if\
inet proto icmp from self $SloppyState set queue iix_icmp
pass out quick log on $iix_if\
inet proto udp from self to port 33433 >< 33626\
$SloppyState set queue iix_icmp
pass out quick log on $int_if\
inet tagged ICMP $SloppyState set queue int_icmp
pass out quick log on $int_if\
inet proto icmp from self $SloppyState set queue int_icmp
pass out quick log on $int_if\
inet proto udp from self to port 33433 >< 33626\
$SloppyState set queue int_icmp

#--- GRAHAWAVE CORE - ANDIRA_IIX
pass in quick log on {$core_if}\
inet from <graha_public> to $LocalContent tag GWCORE_IIX_OUT $SloppyState set queue (core_gw core_ack)
pass out quick log on {$iix_if}\
tagged GWCORE_IIX_OUT $SloppyState set queue (iix_def iix_ack)

pass in quick log on {$iix_if}\
inet from $LocalContent to <graha_public> tag GWCORE_IIX_IN $SloppyState set queue (iix_def iix_ack)
pass out quick log on {$core_if}\
tagged GWCORE_IIX_IN $SloppyState set queue (core_gw core_ack)

#--- GRAHAWAVE CORE - ANDIRA_INT
pass in quick log on {$core_if}\
inet from <graha_public> tag GWCORE_INT_OUT $SloppyState set queue (core_gw core_ack)
pass out quick log on {$int_if}\
tagged GWCORE_INT_OUT $SloppyState set queue (int_def int_ack)

pass in quick log on {$int_if}\
inet to <graha_public> tag GWCORE_INT_IN $SloppyState set queue (int_def int_ack)
pass out quick log on {$core_if}\
tagged GWCORE_INT_IN $SloppyState set queue (core_gw core_ack)

pass out log from self

#--- ON NET
pass in log on $core_if keep state (sloppy source-track global)
pass in log on $iix_if keep state (sloppy source-track global)
pass in log on $int_if keep state (sloppy source-track global)

pass out on $core_if keep state (sloppy source-track global)
pass out on $iix_if keep state (sloppy source-track global)
pass out on $int_if keep state (sloppy source-track global)

#-------------------------------------- END ---------------------------------------------#

Step 9 – queue.conf

# vi /etc/queue.conf
#====================================================================
# Title: Router Core 
# Location: Grahawave Garut
# Date: 14 Januari 2014
# Filename: /etc/queue.conf
# Author: Aditya Maulana 
# Company: aaGINK 
#====================================================================
iix_if ="vlan3529" # ANDIRA IIX
int_if ="vlan3528" # ANDIRA INTERNATIONAL
core_if ="re2" # LAN

##### ------ IIX ------- ##### 
altq on $iix_if bandwidth 20Mb qlimit 500 hfsc queue {iix_attacker iix_hipri iix_def iix_icmp iix_ack}
queue iix_def bandwidth 19Mb priority 5 qlimit 500 hfsc (realtime 19Mb upperlimit 19Mb default ecn)
queue iix_icmp bandwidth 128Kb priority 7 qlimit 200 hfsc (realtime 128Kb upperlimit 512Kb ecn)
queue iix_ack bandwidth 128Kb priority 6 qlimit 200 hfsc (realtime 128Kb upperlimit 1Mb ecn)
queue iix_hipri bandwidth 128Kb priority 7 hfsc (realtime 128Kb upperlimit 256Kb ecn)
queue iix_attacker bandwidth 64Kb priority 7 hfsc (realtime 64Kb upperlimit 128Kb ecn)

##### ------ INT ------- #####
altq on $int_if bandwidth 10Mb qlimit 500 hfsc queue {int_attacker int_hipri int_def int_icmp int_ack}
queue int_def bandwidth 8Mb priority 5 qlimit 500 hfsc (realtime 8Mb upperlimit 9Mb default ecn)
queue int_icmp bandwidth 128Kb priority 7 qlimit 200 hfsc (realtime 128Kb upperlimit 512Kb ecn)
queue int_ack bandwidth 128Kb priority 6 qlimit 200 hfsc (realtime 128Kb upperlimit 1Mb ecn)
queue int_hipri bandwidth 128Kb priority 7 hfsc (realtime 128Kb upperlimit 256Kb ecn)
queue int_attacker bandwidth 64Kb priority 7 hfsc (realtime 64Kb upperlimit 128Kb ecn)

##### ------ CORE ------- #####
altq on $core_if bandwidth 99Mb qlimit 500 hfsc queue {core_attacker core_def core_hipri core_gw core_icmp core_ack}
queue core_def bandwidth 1Mb priority 5 hfsc (realtime 1Mb upperlimit 1Mb default ecn)
queue core_icmp bandwidth 128Kb priority 7 qlimit 200 hfsc (realtime 128Kb upperlimit 1Mb ecn)
queue core_ack bandwidth 128Kb priority 6 qlimit 200 hfsc (realtime 128Kb upperlimit 1Mb ecn)
queue core_hipri bandwidth 128Kb priority 7 hfsc (realtime 128Kb upperlimit 256Kb ecn)
queue core_gw bandwidth 95Mb priority 5 hfsc (realtime 95Mb upperlimit 96Mb ecn)
queue core_attacker bandwidth 64Kb priority 7 hfsc (realtime 64Kb upperlimit 128Kb ecn)

Step – end

@ginK

OPISBOY

Posted

in

Tags: