diff options
author | Jason McIntyre <jmc@cvs.openbsd.org> | 2005-04-21 10:50:51 +0000 |
---|---|---|
committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2005-04-21 10:50:51 +0000 |
commit | 097defb31fca8d93b7d0f0016f418139ba1ee146 (patch) | |
tree | 0d5b6058d493a896da1950d2bef87dc83cf81499 | |
parent | 0ae5e694c39252db29b1405efec9c8e0e71d994b (diff) |
- remove section on pf "quick" rules: this is not the place to describe
additional rulesets
- reshuffle the filtering section somewhat to read better
- consistency tweak
ok hshoexer@
-rw-r--r-- | share/man/man8/vpn.8 | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8 index 5593ad37b18..95924231d5f 100644 --- a/share/man/man8/vpn.8 +++ b/share/man/man8/vpn.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vpn.8,v 1.99 2005/04/21 10:13:59 jmc Exp $ +.\" $OpenBSD: vpn.8,v 1.100 2005/04/21 10:50:50 jmc Exp $ .\" .\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -416,14 +416,18 @@ it must be installed without any permissions for "group" or "other". .Xr pf 4 needs to be configured such that all packets from the outside are blocked by default. -Only successfully IPsec-processed packets (from the +Only successfully IPsec-processed packets (those on the .Xr enc 4 -interface), or key management packets (for -.Xr isakmpd 8 , -.Tn UDP -packets with source and destination ports of 500) should be allowed to pass. +interface) or key management packets +(for automated keying, +UDP packets with source and destination ports of 500) +should be allowed to pass. +.Pp Additional filter rules may be present for other traffic, though care should be taken that other rules do not leak IPsec traffic. +NAT rules can also be used on the +.Xr enc 4 +interface. .Pp .Sy Note : The examples in this page describe a test setup on an internal LAN, @@ -501,13 +505,6 @@ pass in on $ext_if proto udp from $GATEWAY_A port = 500 \e pass out on $ext_if proto udp from $GATEWAY_B port = 500 \e to $GATEWAY_A port = 500 .Ed -.Pp -If there are no other -.Xr pf.conf 5 -rules, the "quick" clause can be added to the last four rules. -NAT rules can also be used on the -.Xr enc 4 -interface. .Ss Enabling the Packet Filter Enable the packet filter and load the ruleset: .Bd -literal -offset indent @@ -614,7 +611,7 @@ and no traffic should be seen whilst the ping is running. One exception to this is if the automated keying setup has been followed, in which case .Xr isakmpd 8 -messages on UDP port 500 may be seen. +key management packets on UDP port 500 may be seen. This is perfectly normal. If any traffic is being leaked i.e. the last ping detailed above is showing traffic, |