BIRD / Stormshield Network environment

In a factory configuration, the BIRD routing module is not enabled. Routing of Stormshield Network firewall may be made to coexist with BIRD dynamic routing. For example, the internal zone may be managed with a dynamic routing protocol and the external zone with Firewall’s routing features (static routing, gateways, routing by rule (PBR), router objects).

To do so, please refer to the section Interaction with Stormshield Network routing.

In the administration interface, filtering rules are necessary to allow BIRD traffic :

From version 1.0 of the firmware onwards and on versions supporting IPv6, dynamic routing takes place in two files, depending on the IP version of the networks concerned:

  • /usr/Firewall/ConfigFiles/Bird/bird.conf for IPv4 networks and routes.
  • /usr/Firewall/ConfigFiles/Bird/bird6.conf for IPv6 networks and routes.

Two separate operations are required for starting BIRD.

The BIRD module must first be defined as active in the following file:

/usr/Firewall/ConfigFiles/Bird/global. This can be done by setting the “state” variable to “1” in the section [bird] for IPv4 routing, and/or in the section [bird6] for IPv6 routing.



This operation ensures that dynamic routing stays enabled when the firewall is restarted.

Next, to start BIRD or to reload its configuration after a modification, use the command “enbird”. If the configuration contains syntax errors, the command will indicate them and will not enable the configuration.


birdc/birdc6: remote control

BIRD and BIRD6 have an interactive mode: birdc for BIRD Client, and birdc6 for BIRD6 Client. Launch this mode by calling birdc or birdc6, depending on the IP version of dynamic routing that you wish to control.

BIRD 1.6.8 ready.

BIRD 1.6.8 ready.

Further on in this document, all examples will be shown for the birdc interactive mode. They can all be transposed for the birdc6 interactive mode.

The BIRD interactive mode does not allow modifying the configuration file, but allows viewing BIRD states, testing the proper operation of a new configuration by enabling backtracking, and creating a temporary configuration.

“Show” commands

The character “?” allows you to display the list of available options:

bird> show ?  
show interfaces Show network interfaces
show memory Show memory usage
show ospf ... Show information about OSPF protocol
show protocols [<protocol> | "<pattern>"] Show routing protocols
show roa ... Show ROA table
show route ... Show routing table
show static [<name>] Show details of static protocol
show status Show router status
show symbols ... Show all known symbolic names


Show all routes.

bird> show route via on em0 [static1 21:11] * (200) via on em0 [static1 21:11] * (200)
  via on em0 [router1 20:50 from] (100/?) [AS65001?] via on em0 [router2 21:08 from] * (100/?) [?] via on em0 [router2 21:08 from] * (100/?) [?] via on em0 [router1 20:50 from] * (100/?) [AS65001?] via on em0 [router1 20:50 from] * (100/?) [AS65001?]


Show all routes by protocol instance. In this case, the instance is router2.

bird> show route protocol router2 via on em0 [router2 14:14 from] * (100/?) [?] via on em0 [router2 14:14 from] * (100/?) [?]

In birdc, most of the commands are common to all the protocols. Therefore for example, routes announced to a neighboring BCP will be viewed by a command that calls on the export filter.

bird> show route export router1 blackhole [static1 13:20] * (200)


Show commands provide a lot of information on instances. They allow diagnosing problems, whether they are due to a faulty configuration, a network issue or any other problem.

bird> show protocols all router1
BGP state: Active
  Neighbor address:
  Neighbor AS: 65001
  Start delay: 2/5
  Last error: Socket: Connection closed

To enable the reception of system messages on the console, enter the command echo all then echo off to stop these logs.

bird> echo all
bird> >>> KRT: Error sending route to kernel: No such process
>>> KRT: Error sending route to kernel: No such process
>>> Next hop address resolvable through recursive route for
>>> KRT: Error sending route to kernel: No such process

Debug events are viewed globally or for example by protocol instance. The use of debug commands is a useful tool that effectively completes the commands for viewing states.

bird> debug router2 all
bird> echo all
>>> router2 < added via on em0
>>> router2 < replaced via on em0
>>> router2 > updated via on em0
>>> router2 < rejected by protocol via on em0
>>> router2 > updated [best] via on em0
>>> router2 < replaced via on em0
>>> router2 < replaced via on em0

Temporary testing of a new configuration

We would like to test a new configuration bird_to_be_tested.conf. To do so, launch BIRD using a bird.conf configuration whose operation has been validated, then launch birdc.

To check the syntax of the file without applying it:

bird> configure check "bird_a_tester.conf"

Next, temporarily apply this configuration for 60 seconds using the command:

bird> configure "bird_a_tester.conf" timeout 60

The new configuration will be applied. If the firewall can no longer be contacted or there is no confirmation from the administrator, the previous configuration will be automatically reapplied after 60 seconds.

If the new configuration is considered valid, it can be confirmed using:

bird> configure confirm

If the new configuration has not been validated and the firewall can still be contacted, it is possible to immediately backtrack using:

bird> configure undo