Clients
Overview
bgpd.conf configuration
pf.conf configuration
spamd.conf configuration
Spamd-source Server
Coming soon
Route Server
Overview
bgpd.conf configuration
pf.conf configuration
Announce mailing list
Papers
Hosting is generously provided by Sonic.net
|
|
Route Server
Here we describe an example configuration for the Route Server. In it,
we connect to two Spamd Source systems, and we also provide access
for Client systems. Connections to the Spamd Sources are protected.
For the Spamd Source peer ``upA'', TCP MD5 signatures are used.
For connections to Spamd Source peer ``downB'', we will use IPsec with
dynamic keying. The OpenBGPd daemon will set up the flows, and
uses isakmpd(8) to manage the session keys.
The following bgpd.conf file is a sanitized version of the production
configuration used by the reference server. IP addresses, and the
spamd-sources group are anonymized, but the rest is accurate.
/etc/bgpd.conf
myAS="65066"
AS $myAS
router-id 203.0.113.113
fib-update no
nexthop qualify via default
socket "/var/www/logs/bgpd.rsock" restricted
group spamd-sources {
multihop 64
announce none
# Neighbor upA - John Q Public - john.public@example.com
neighbor 198.51.100.198 {
descr "upA"
remote-as 65198
tcp md5sig key deadbeef
}
# Neighbor downB - Mike Bolton - mike@bolt.example.net
neighbor 198.18.0.191 {
descr "downB"
remote-as 65191
ipsec ah ike
}
}
group RS {
announce all
set nexthop no-modify
enforce neighbor-as no
multihop 64
ttl-security no
holdtime min 60
softreconfig in no
neighbor 0.0.0.0/0 { passive }
}
deny from any
allow from group spamd-sources
allow to any
# Ensure that an IP to be blacklisted is only a host entry
deny from group spamd-sources inet prefixlen < 32
deny from group spamd-sources inet6 prefixlen < 128
# Set my own community, so clients have an easy way to filter
match from group spamd-sources community neighbor-as:666 set community $myAS:666
match from group spamd-sources community neighbor-as:42 set community $myAS:42
|