BIRD / Stormshield Network environment

In a factory configuration, the BIRD routing module is not enabled. Routing of Stormshield Network firewall may be made to coexist with BIRD dynamic routing. For example, the internal zone may be managed with a dynamic routing protocol and the external zone with Firewall’s routing features (static routing, gateways, routing by rule (PBR), router objects).

To do so, please refer to the section Interaction with Stormshield Network routing.

In the administration interface, filtering rules are necessary to allow BIRD traffic.

Example of advanced configuration

 

From version 1.0 of the firmware onwards and on versions supporting IPv6, dynamic routing takes place in two files, depending on the IP version of the networks concerned:

  • /usr/Firewall/ConfigFiles/Bird/bird.conf for IPv4 networks and routes.
  • /usr/Firewall/ConfigFiles/Bird/bird6.conf for IPv6 networks and routes.

Two separate operations are required for starting BIRD.

The BIRD module must first be defined as active in the following file:

/usr/Firewall/ConfigFiles/Bird/global. This can be done by setting the “state” variable to “1” in the section [bird] for IPv4 routing, and/or in the section [bird6] for IPv6 routing.


[bird]
state=1

[bird6]
state=1

This operation ensures that dynamic routing stays enabled when the firewall is restarted.

Next, to start BIRD or to reload its configuration after a modification, use the command “enbird”. If the configuration contains syntax errors, the command will indicate them and will not enable the configuration.


V50XXA0D0000073>enbird
V50XXA0D0000073>

birdc/birdc6: remote control

BIRD and BIRD6 have an interactive mode: birdc for BIRD Client, and birdc6 for BIRD6 Client. Launch this mode by calling birdc or birdc6, depending on the IP version of dynamic routing that you wish to control.


V50XXA0D0000073>birdc
BIRD 1.5.01.6.0 ready.
bird>


V50XXA0D0000073>birdc6
BIRD 1.5.01.6.0 ready.
bird>

NOTE
Further on in this document, all examples will be shown for the birdc interactive mode. They can all be transposed for the birdc6 interactive mode.

 

The BIRD interactive mode does not allow modifying the configuration file, but allows viewing BIRD states, testing the proper operation of a new configuration by enabling backtracking, and creating a temporary configuration.

“Show” commands

The character “?” allows you to display the list of available options.

  
bird> show ? 
show interfacesShow network interfaces
show memoryShow memory usage
show ospf ... Show information about OSPF protocol
show protocols [<protocol> | "<pattern>"]Show routing protocols
show roa ...Show ROA table
show route ...Show routing table
show static [<name>]Show details of static protocol
show status Show router status
show symbols ...Show all known symbolic names
bird> 
  

 

Example: Show all routes.

  
bird> show route
0.0.0.0/0 via 192.168.97.1 on em0 [static1 21:11] * (200)
100.100.100.100/32 via 192.168.97.101 on em0 [static1 21:11] * (200)
 via 192.168.97.101 on em0 [router1 20:50 from 100.100.100.100] (100/?) [AS65001?]
1.1.1.0/24 via 192.168.97.1 on em0 [router2 21:08 from 192.168.97.102] * (100/?) [?]
1.1.3.0/24via 192.168.97.1 on em0 [router2 21:08 from 192.168.97.102] * (100/?) [?]
2.2.2.0/24via 192.168.97.101 on em0 [router1 20:50 from 100.100.100.100] * (100/?) [AS65001?]
2.2.4.0/24via 192.168.97.101 on em0 [router1 20:50 from 100.100.100.100] * (100/?) [AS65001?]
bird>
  

 

Example: Show all routes by protocol instance. In this case, the instance is router2.


bird> show route protocol router2

1.1.1.0/24 via 192.168.97.1 on em0 [router2 14:14 from 192.168.97.102] * (100/?) [?]
1.1.3.0/24 via 192.168.97.1 on em0 [router2 14:14 from 192.168.97.102] * (100/?) [?]
bird>

 

In birdc, most of the commands are common to all the protocols. Therefore for example, routes announced to a neighboring BCP will be viewed by a command that calls on the export filter.


bird> show route export router1
172.16.0.0/24 blackhole [static1 13:20] * (200)
bird>

Debug

Show commands provide a lot of information on instances. They allow diagnosing problems, whether they are due to a faulty configuration, a network issue or any other problem.

  
bird> show protocols all router1
[……]
BGP state:Active
 Neighbor address: 100.100.100.100
 Neighbor AS: 65001
 Start delay: 2/5
 Last error: Socket: Connection closed
bird>
  

 

To enable the reception of system messages on the console, enter the command echo all then echo off to stop these logs.


bird> echo all
bird> >>> KRT: Error sending route 0.0.0.0/0 to kernel: No such process
>>> KRT: Error sending route 100.100.100.100/32 to kernel: No such process
>>> Next hop address 100.100.100.100 resolvable through recursive route for 100.100.100.100/32
>>> KRT: Error sending route 1.1.1.0/24 to kernel: No such process

 

Debug events are viewed globally or for example by protocol instance. The use of debug commands is a useful tool that effectively completes the commands for viewing states.


bird> debug router2 all
bird> echo all
>>> router2 < added 0.0.0.0/0 via 192.168.97.1 on em0
>>> router2 < replaced 100.100.100.100/32 via 192.168.97.101 on em0
>>> router2 > updated 1.1.1.0/24 via 192.168.97.1 on em0
>>> router2 < rejected by protocol 1.1.1.0/24 via 192.168.97.1 on em0
>>> router2 > updated [best] 1.1.1.0/24 via 192.168.97.1 on em0
>>> router2 < replaced 2.2.2.0/24 via 192.168.97.101 on em0
>>> router2 < replaced 2.2.4.0/24 via 192.168.97.101 on em0

Temporary testing of a new configuration

We would like to test a new configuration bird_to_be_tested.conf. To do so, launch BIRD using a bird.conf configuration whose operation has been validated, then launch birdc.

To check the syntax of the file without applying it:


bird> configure check "bird_a_tester.conf"

Next, temporarily apply this configuration for 60 seconds using the command:


bird> configure "bird_a_tester.conf" timeout 60

The new configuration will be applied. If the firewall can no longer be contacted or there is no confirmation from the administrator, the previous configuration will be automatically reapplied after 60 seconds.

If the new configuration is considered valid, it can be confirmed using:


bird> configure confirm

If the new configuration has not been validated and the firewall can still be contacted, it is possible to immediately backtrack using:


bird> configure undo