From c5da7cc2732dc3dfb8436f35d7139d3c77eb0aab Mon Sep 17 00:00:00 2001
From: claudio <>
Date: Wed, 13 Jun 2018 09:44:57 +0000
Subject: [PATCH] Adjust example after the announce (all|self|...) change.
 Adjust filters and comment them to explain the basic operation. Use
 large-community and a prefix-set to ensure no bad prefixes are leaked to eBGP
 speakers. With and OK job@

---
 src/etc/examples/bgpd.conf | 41 ++++++++++++++++++++++++++------------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/src/etc/examples/bgpd.conf b/src/etc/examples/bgpd.conf
index 57cba187..a5fa7234 100644
--- a/src/etc/examples/bgpd.conf
+++ b/src/etc/examples/bgpd.conf
@@ -1,13 +1,14 @@
-# $OpenBSD: bgpd.conf,v 1.8 2017/09/29 11:00:39 phessler Exp $
+# $OpenBSD: bgpd.conf,v 1.9 2018/06/13 09:44:57 claudio Exp $
 # sample bgpd configuration file
 # see bgpd.conf(5)
 
 #macros
+ASN="65001"
 peer1="10.1.0.2"
 peer2="10.1.0.3"
 
 # global configuration
-AS 65001
+AS $ASN
 router-id 10.0.0.1
 # holdtime 180
 # holdtime min 3
@@ -16,7 +17,13 @@ router-id 10.0.0.1
 # fib-update no
 # route-collector no
 # log updates
-# network 10.0.1.0/24
+
+# prefix set of networks that may be announced
+prefix-set mynetworks { 192.0.2.0/24 }
+
+# Announce networks, tag them with a large community to ease filtering
+# network 192.0.2.0/24 set large-community $ASN:1:1
+# network static set large-community $ASN:1:2
 
 # restricted socket for bgplg(8)
 # socket "/var/www/run/bgpd.rsock" restricted
@@ -26,12 +33,10 @@ group "peering AS65002" {
 	remote-as 65002
 	neighbor $peer1 {
 		descr	"AS 65001 peer 1"
-		announce self
 		tcp md5sig password mekmitasdigoat
 	}
 	neighbor $peer2 {
 		descr "AS 65001 peer 2"
-		announce all
 		local-address 10.0.0.8
 		ipsec esp ike
 	}
@@ -54,7 +59,7 @@ neighbor 10.0.1.0 {
 	passive
 	holdtime	180
 	holdtime min	3
-	announce	none
+	export		none
 	tcp md5sig key	deadbeef
 }
 
@@ -79,14 +84,12 @@ neighbor 10.2.1.1 {
 	    aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
 }
 
-# do not send or use routes from EBGP neighbors without
-# further explicit configuration
-deny from ebgp
-deny to ebgp
+##
+## inbound rules: default is deny
+##
 
-# allow updates to and from IBGP neighbors
+# IBGP: allow all updates from our neighbors
 allow from ibgp
-allow to ibgp
 
 # filter out prefixes longer than 24 or shorter than 8 bits for IPv4
 # and longer than 48 or shorter than 16 bits for IPv6.
@@ -140,7 +143,19 @@ deny from any AS 23456				# AS_TRANS
 deny from any AS 64496 - 64511			# Reserved for use in docs and code RFC5398
 deny from any AS 64512 - 65534			# Reserved for Private Use RFC6996
 deny from any AS 65535				# Reserved RFC7300
-deny from any AS 65536 - 65551			# Reserved for use in docs and code RFC5398 
+deny from any AS 65536 - 65551			# Reserved for use in docs and code RFC5398
 deny from any AS 65552 - 131071			# Reserved
 deny from any AS 4200000000 - 4294967294	# Reserved for Private Use RFC6996
 deny from any AS 4294967295			# Reserved RFC7300
+
+##
+## outbound rules: default is deny
+##
+
+# IBGP: allow all updates to our neighbors
+allow to ibgp
+
+# EBGP: only allow self originated networks to ebgp peers
+# Don't leak any routes from upstream or peering sessions. This is done
+# by checking for routes that are tagged with the large-community $ASN:1:1
+allow to ebgp prefix-set mynetworks large-community $ASN:1:1