Configuration
The configuration of at least the following lines is required in order to define a basic environment for cooperating with the system.
| protocol | kernel { | |
| persist; | # Don't remove routes on BIRD shutdown | |
| scan time 20; | # Scan kernel routing table every 20 seconds | |
| export all; | # Default is export none | |
| learn; | # Learn all alien routes from the kernel | |
| preference 254; | # Protect kernel routes with a high preference | |
| } | ||
| protocol |
device { |
|
| scan time 10; | # Scan interfaces every 10 seconds | |
| } | ||
We will not go into detail here about each configuration line. If you wish to obtain comprehensive explanations, please refer to the online documentation on BIRD at:
http://bird.network.cz/?get_doc&f=bird.html.
The most important concepts are of the protocol instance and filtering.
A protocol instance may either be BGP, RIP or OSPF and defines an appropriate configuration. Several instances may be defined, even for the same protocol.
Each protocol instance is connected to an internal routing table in BIRD. This connection is monitored by two filters that can accept, reject or modify routes.
The export filter monitors routes sent from the internal routing table to BIRD towards the protocol, and the import filter does the same in the opposite direction.
Ensure that you implement an accurate route filter. The use of full import or export routes (for example, import all) between protocol instances may produce destructive results.
Syntax rules
- Text written after the # is a comment
- Text framed by /* and */ is a comment
- Blocks of several options are placed in curly brackets {}
- Each option ends with a semi-colon ;
- Configuration is case-sensitive.
The following configuration contains two syntax errors.
| 1 | router id 192.168.97.219; | |
| 2 | ||
| 3 | protocol kernel | |
| 4 | { | |
| 5 | persist; | # Don't remove routes on bird shutdown |
| 6 | scan time 20; | # Scan kernel routing table every 20 seconds |
| 7 | export all; | # Default is export none |
| 8 | } | |
| 9 | ||
| 10 | protocol device | |
| 11 | { | |
| 12 | scan time 10; | # Scan interfaces every 10 seconds |
| 13 | ||
| 14 | protocol static | |
| 15 | { | |
| 16 | route 0.0.0.0/0 via 10.200.0.1; | |
| 17 | route 172.16.0.0/24 drop | |
| 18 | } | |
Error message 1
V50XXA0D0000073>enbird
bird: /usr/Firewall/ConfigFiles/Bird/bird.conf, line 14: syntax error
If a closing curly bracket is omitted, the error will mention the first line of the next block, a line that does not correspond to an authorized command of the unclosed block.
The character “}” therefore has to be inserted in line 13.
Error message 2
V50XXA0D0000073> enbird
bird: /usr/Firewall/ConfigFiles/Bird/bird.conf, line 18: syntax error
The character “;”therefore has to be inserted at the end of line 17 in the example.
Interaction with Stormshield Network routing
Thanks to the default configuration on Stormshield Network firewalls, firewall’s routing has priority over dynamic routing (maximum preference of 254).
IMPORTANT
During the reconfiguration of firewall’s routes, they will be temporarily erased and BIRD/BIRD6 can then configure its own routes. Firewall’s routing therefore has to be protected using an export filter on the pseudo-protocol kernel.
This is an example of a filter that will protect the default route and the static route 1.2.3.0/24:
filter protect_Stormshield_routes
{
if (net = 0.0.0.0/0) || (net = 1.2.3.0/24)
then reject;
else accept;
}
protocol kernel
{
(...)
export filter protect_Stormshield_routes;
}Giving dynamic routing priority over Stormshield Network routing
If dynamic routing should have priority over Stormshield Network routing, the routes obtained by dynamic routing (BGP, OSPF or RIP protocol) must have a preference value higher than the routes obtained by the system (pseudo-protocol kernel).
The preference value of kernel must therefore be reduced, for example to 1:
protocol kernel
{
(...)
preference 1;
}
Routing the interfaces of firewall
If the firewall’s interfaces have been configured with different sub-networks, and you wish to send the sub-networks of the interfaces via BIRD, the pseudo-protocol direct will be used.
By default, all interfaces are taken into account. The number of interfaces taken into account can be restricted using the attribute interface.
protocol direct
{
interface "-vlan*", "*"; # Exclude VLANs
}