Configuring BGP Looking glass based on OpenBSD 6.1
We have long used the OpenBSD + OpenBGPD + bgplg bundle to provide a bgp looking glass public server. It was decided to upgrade OpenBSD to the latest version.
During the setup process, several nuances were revealed that were not fully disclosed in the official documentation. As a result, this was the instruction for setting up a BGP looking glass service based on the newly installed OpenBSD 6.1.
0. Install OpenBSD
1. Put the SSL key in /etc/ssl/private/server.key and the certificate chain in /etc/ssl/server.crt
')
2. Configure /etc/httpd.conf
3. Configure /etc/bgpd.conf
4. We set permissions, set up chroot. With the last command, you allow ping and traceroute from your service, but at the same time set the SUID flag on the executable files.
5. If you included ping and traceroute in the previous step, then check / etc / fstab for the absence of the nosuid flag for / var. Do not forget to remount / var or reboot.
6. Configure pf.conf
7. Start the demons
8. Voila!
During the setup process, several nuances were revealed that were not fully disclosed in the official documentation. As a result, this was the instruction for setting up a BGP looking glass service based on the newly installed OpenBSD 6.1.
0. Install OpenBSD
1. Put the SSL key in /etc/ssl/private/server.key and the certificate chain in /etc/ssl/server.crt
')
2. Configure /etc/httpd.conf
ext_addr="0.0.0.0" ext_addr6="::" prefork 2 domain="lg.example.net" server $domain { listen on $ext_addr port 80 listen on $ext_addr6 port 80 block return 301 "https://$domain$REQUEST_URI" } server $domain { listen on $ext_addr tls port 443 listen on $ext_addr6 tls port 443 tls { certificate "/etc/ssl/server.crt" key "/etc/ssl/private/server.key" } location "/cgi-bin/*" { fastcgi root "" } location "/" { block return 302 "/cgi-bin/bgplg" } } 3. Configure /etc/bgpd.conf
AS XXX fib-update no listen on 0.0.0.0 route-collector yes router-id ABCD socket "/var/www/run/bgpd.rsock" restricted neighbor DEFG { remote-as XXX descr "r1" announce none } neighbor D:E:F::G { remote-as XXX descr "r1v6" announce none } 4. We set permissions, set up chroot. With the last command, you allow ping and traceroute from your service, but at the same time set the SUID flag on the executable files.
chmod 0555 /var/www/cgi-bin/bgplg chmod 0555 /var/www/bin/bgpctl mkdir /var/www/etc cp /etc/resolv.conf /var/www/etc chmod 4555 /var/www/bin/ping* /var/www/bin/traceroute* 5. If you included ping and traceroute in the previous step, then check / etc / fstab for the absence of the nosuid flag for / var. Do not forget to remount / var or reboot.
6. Configure pf.conf
ext_if = "vio0" table <admins> { 192.168.0.0/24 2001:67c:aaaa::/64 } table <routers> { 192.168.2.0/24 2001:67c:bbbb::/64 } set block-policy drop set skip on lo #block return # block stateless traffic #pass # establish keep-state match in all scrub (no-df random-id max-mss 1440) block all pass out quick pass in on egress proto tcp from <admins> to (egress) port { 22 } pass in on egress proto tcp from <routers> to (egress) port { 179 } pass in on egress proto tcp from any to (egress) port { 80 443 } pass in on egress proto icmp from any to (egress) pass in on egress proto icmp6 from any to (egress) 7. Start the demons
rcctl enable httpd rcctl enable slowcgi rcctl enable bgpd rcctl start httpd rcctl start slowcgi rcctl start bgpd pfctl -f /etc/pf.conf 8. Voila!
Source: https://habr.com/ru/post/332694/
All Articles