BIRD / Stormshield Network environment
In a factory configuration, the BIRD routing module is not enabled. Routing of Stormshield Network firewall may be made to coexist with BIRD dynamic routing. For example, the internal zone may be managed with a dynamic routing protocol and the external zone with Firewall’s routing features (static routing, gateways, routing by rule (PBR), router objects).
To do so, please refer to the section Interaction with Stormshield Network routing.
From version 1.0 of the firmware onwards and on versions supporting IPv6, dynamic routing takes place in two files, depending on the IP version of the networks concerned:
- /usr/Firewall/ConfigFiles/Bird/bird.conf for IPv4 networks and routes.
- /usr/Firewall/ConfigFiles/Bird/bird6.conf for IPv6 networks and routes.
Two separate operations are required for starting BIRD.
The BIRD module must first be defined as active in the following file:
/usr/Firewall/ConfigFiles/Bird/global. This can be done by setting the “state” variable to “1” in the section [bird] for IPv4 routing, and/or in the section [bird6] for IPv6 routing.
This operation ensures that dynamic routing stays enabled when the firewall is restarted.
Next, to start BIRD or to reload its configuration after a modification, use the command “enbird”. If the configuration contains syntax errors, the command will indicate them and will not enable the configuration.
birdc/birdc6: remote control
BIRD and BIRD6 have an interactive mode: birdc for BIRD Client, and birdc6 for BIRD6 Client. Launch this mode by calling birdc or birdc6, depending on the IP version of dynamic routing that you wish to control.
BIRD 1.6.8 ready.
BIRD 1.6.8 ready.
Further on in this document, all examples will be shown for the birdc interactive mode. They can all be transposed for the birdc6 interactive mode.
The BIRD interactive mode does not allow modifying the configuration file, but allows viewing BIRD states, testing the proper operation of a new configuration by enabling backtracking, and creating a temporary configuration.
The character “?” allows you to display the list of available options:
|bird> show ?|
|show interfaces||Show network interfaces|
|show memory||Show memory usage|
|show ospf ...||Show information about OSPF protocol|
|show protocols [<protocol> | "<pattern>"]||Show routing protocols|
|show roa ...||Show ROA table|
|show route ...||Show routing table|
|show static [<name>]||Show details of static protocol|
|show status||Show router status|
|show symbols ...||Show all known symbolic names|
Show all routes.
|bird> show route|
|0.0.0.0/0||via 192.168.97.1 on em0 [static1 21:11] * (200)|
|100.100.100.100/32 via 192.168.97.101 on em0 [static1 21:11] * (200)
|via 192.168.97.101 on em0 [router1 20:50 from 100.100.100.100] (100/?) [AS65001?]|
|184.108.40.206/24||via 192.168.97.1 on em0 [router2 21:08 from 192.168.97.102] * (100/?) [?]|
|220.127.116.11/24||via 192.168.97.1 on em0 [router2 21:08 from 192.168.97.102] * (100/?) [?]|
|18.104.22.168/24||via 192.168.97.101 on em0 [router1 20:50 from 100.100.100.100] * (100/?) [AS65001?]|
|22.214.171.124/24||via 192.168.97.101 on em0 [router1 20:50 from 100.100.100.100] * (100/?) [AS65001?]|
Show all routes by protocol instance. In this case, the instance is router2.
bird> show route protocol router2
126.96.36.199/24 via 192.168.97.1 on em0 [router2 14:14 from 192.168.97.102] * (100/?) [?]
188.8.131.52/24 via 192.168.97.1 on em0 [router2 14:14 from 192.168.97.102] * (100/?) [?]
In birdc, most of the commands are common to all the protocols. Therefore for example, routes announced to a neighboring BCP will be viewed by a command that calls on the export filter.
bird> show route export router1
172.16.0.0/24 blackhole [static1 13:20] * (200)
Show commands provide a lot of information on instances. They allow diagnosing problems, whether they are due to a faulty configuration, a network issue or any other problem.
|bird> show protocols all router1|
|Neighbor address: 100.100.100.100|
|Neighbor AS: 65001|
|Start delay: 2/5|
|Last error: Socket: Connection closed|
To enable the reception of system messages on the console, enter the command echo all then echo off to stop these logs.
bird> echo all
bird> >>> KRT: Error sending route 0.0.0.0/0 to kernel: No such process
>>> KRT: Error sending route 100.100.100.100/32 to kernel: No such process
>>> Next hop address 100.100.100.100 resolvable through recursive route for 100.100.100.100/32
>>> KRT: Error sending route 184.108.40.206/24 to kernel: No such process
Debug events are viewed globally or for example by protocol instance. The use of debug commands is a useful tool that effectively completes the commands for viewing states.
bird> debug router2 all
bird> echo all
>>> router2 < added 0.0.0.0/0 via 192.168.97.1 on em0
>>> router2 < replaced 100.100.100.100/32 via 192.168.97.101 on em0
>>> router2 > updated 220.127.116.11/24 via 192.168.97.1 on em0
>>> router2 < rejected by protocol 18.104.22.168/24 via 192.168.97.1 on em0
>>> router2 > updated [best] 22.214.171.124/24 via 192.168.97.1 on em0
>>> router2 < replaced 126.96.36.199/24 via 192.168.97.101 on em0
>>> router2 < replaced 188.8.131.52/24 via 192.168.97.101 on em0
Temporary testing of a new configuration
We would like to test a new configuration bird_to_be_tested.conf. To do so, launch BIRD using a bird.conf configuration whose operation has been validated, then launch birdc.
To check the syntax of the file without applying it:
bird> configure check "bird_a_tester.conf"
Next, temporarily apply this configuration for 60 seconds using the command:
bird> configure "bird_a_tester.conf" timeout 60
The new configuration will be applied. If the firewall can no longer be contacted or there is no confirmation from the administrator, the previous configuration will be automatically reapplied after 60 seconds.
If the new configuration is considered valid, it can be confirmed using:
bird> configure confirm
If the new configuration has not been validated and the firewall can still be contacted, it is possible to immediately backtrack using:
bird> configure undo