forked from colinbodor/projectton
-
Notifications
You must be signed in to change notification settings - Fork 0
/
OpenBGPD.conf
134 lines (121 loc) · 4.75 KB
/
OpenBGPD.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# Created by Mark Leonard of YYC Net Lab.
# Feel free to contact me with improvements or suggestions via GitHub:
# https://github.com/colinbodor/projectton
# Define your ASN as a macro. If you do not have an ASN you can use a
# private ASN. For a list of private-use ASNs, see:
# https://en.wikipedia.org/wiki/Autonomous_system_(Internet)#ASN_Table
ASN="4200000001"
projectton="162.208.89.180" # rr1.projectton.com
# global configuration
AS $ASN
# Router ID
# It's good practice to set this to one of your public IPv4 addresses.
# This can also be left blank and OpenBGPd will use the highest IPv4 address
# assigned to the device
router-id <your IPv4 address>
# If you are using "nexthop blackhole" then you will need to update the FIB:
fib-update yes
# WARNING: Uncomment this line as a last resort. See "TESTING" below.
#nexthop qualify via default
# blackhole list providers:
group "blackholes" {
announce IPv4 none
announce IPv6 none
multihop 63
neighbor $projectton {
remote-as 4212345678
descr "Project TON"
}
}
## rules section
deny quick to group blackholes
match from group blackholes set { nexthop blackhole }
deny from group blackholes
# 65535:666 = Blackhole
# This will allow any prefixes with the BLACKHOLE community set:
allow from group blackholes community BLACKHOLE
# All country-coded prefixes have TWO communities:
# [65535:3166] = the community tag to identify it as a Country-coded prefix
# [3166:xxxx] = the community tag that identifies a particular country code
#
# For the community [3166:xxxx], xxxx is the ISO-3166 country code. See:
# https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes
#
# Since all country-code prefixes have two tags, you can ensure that no other
# country-codes are blocked by adding a "deny" rule that matches on the
# Deny 65535:3166 or you will block EVERYTHING:
deny from group blackholes community 65535:3166
# With the deny rule above the default action will be to pass traffic for all
# country codes. Read on if you would like to add a specific country to be
# null routed.
#
# If you wanted to block all traffic to&from Canadian prefixes, you would
# add the following rule to "allow" the Canadian prefixes to be null-routed:
# allow from group blackholes community 3166:124
# Since the deny & allow rules above are missing their "quick" keyword, it is
# the last matching rule that is applied.
# ###########
# # TESTING #
# ###########
# Confirm whether or not OpenBGPd considers the routes valid.
#
# gw# bgpctl show rib
# flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
# S = Stale, E = Error
# origin validation state: N = not-found, V = valid, ! = invalid
# origin: i = IGP, e = EGP, ? = Incomplete
#
# flags ovs destination gateway lpref med aspath origin
# N 0.0.0.0/8 192.0.2.1 100 0 65618 i
# <output omitted for brevity>
#
# The blank "flags" field indicates that the route is NOT valid (it is missing
# an asterisk '*'). This indicates that OpenBGPd has no path to 192.0.2.1.
#
# If you do see an asterisk on the line with 0.0.0.0/8 then you can confirm
# that it is being blackholed with this:
#
# gw# route -n show -inet | grep -E '(^0/8)|(Destination)'
# Destination Gateway Flags Refs Use Mtu Prio Iface
# 0/8 127.0.0.1 UGB 0 0 32768 48 lo0
#
# The "B" under "Flags" informs us that the traffic to 0.0.0.0/8 is being
# properly blackholed.
#
# If the prefix is invalid, it will not be added to the routing table as a
# blackhole. There are two methods to resolve this.
#
# ##########################
# # Add a "Null" interface #
# ##########################
# The first method is to add a loopback interface with the IP address 192.0.2.1.
# Create the file /etc/hostname.lo99 with the contents:
#
# inet 192.0.2.1 255.255.255.255 NONE description "Null"
# up
#
# That will bring the interface up on reboot. To bring the interface up
# immediately run the following as root:
#
# /bin/sh /etc/netstart lo99
#
# You may also want to add the following line to your /etc/pf.conf:
#
# block drop quick on lo99
#
# That will silently drop all traffic to or from the lo99 interface.
#
#
# ##################################
# # Force validation of all routes #
# ##################################
# You can uncomment this line:
#
# nexthop qualify via default
#
# This is potentially hazardous if you are using BGP for things other than
# realtime blackhole lists. If you are using OpenBGPd for routing real traffic
# and not just blackholes then you should avoid using this line.
# This is a global configuration command and will apply to all peers and all
# learned routes. Although this method is quick, it can cause you pain down
# the road.