Clients
Overview
bgpd.conf configuration
pf.conf configuration
spamd.conf configuration

Spamd-source Server
Coming soon

Route Server
Overview
bgpd.conf configuration
pf.conf configuration

Announce mailing list
Papers
Hosting is generously provided by Sonic.net

 

Route Server


Here we describe an example configuration for the Route Server. In it, we connect to two Spamd Source systems, and we also provide access for Client systems. Connections to the Spamd Sources are protected. For the Spamd Source peer ``upA'', TCP MD5 signatures are used. For connections to Spamd Source peer ``downB'', we will use IPsec with dynamic keying. The OpenBGPd daemon will set up the flows, and uses isakmpd(8) to manage the session keys.

The following bgpd.conf file is a sanitized version of the production configuration used by the reference server. IP addresses, and the spamd-sources group are anonymized, but the rest is accurate.

/etc/bgpd.conf
myAS="65066"

AS $myAS
router-id 203.0.113.113
fib-update no
nexthop qualify via default

socket "/var/www/logs/bgpd.rsock" restricted

group spamd-sources {
        multihop 64
        announce none

        # Neighbor upA - John Q Public - john.public@example.com
        neighbor 198.51.100.198 {
                descr "upA"
                remote-as 65198
                tcp md5sig key deadbeef
        }
        # Neighbor downB - Mike Bolton - mike@bolt.example.net
        neighbor 198.18.0.191 { 
                descr "downB"
                remote-as 65191
                ipsec ah ike
        }
}

group RS { 
        announce all
        set nexthop no-modify
        enforce neighbor-as no
        multihop 64
        ttl-security no

        holdtime min 60
        softreconfig in no 

        neighbor 0.0.0.0/0 {  passive  }
}

deny from any
allow from group spamd-sources
allow to any

# Ensure that an IP to be blacklisted is only a host entry
deny from group spamd-sources inet  prefixlen < 32
deny from group spamd-sources inet6 prefixlen < 128
         
# Set my own community, so clients have an easy way to filter 
match from group spamd-sources community neighbor-as:666 set community $myAS:666
match from group spamd-sources community neighbor-as:42  set community $myAS:42
© 2013-2017 Peter Hessler