diff options
| author | Jason McIntyre <jmc@cvs.openbsd.org> | 2006-10-19 08:41:19 +0000 |
|---|---|---|
| committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2006-10-19 08:41:19 +0000 |
| commit | 9b9881aca8ee8869e15aa75129646d07753fc3cc (patch) | |
| tree | 05b987d8fc5ae426639799244997291699657b3b /sbin/ipsecctl/ipsec.conf.5 | |
| parent | c06c9c099c3fbdd2440805365c3d6f742577313d (diff) | |
note that all rules using enc0 should specify: keep state (if-bound)
Diffstat (limited to 'sbin/ipsecctl/ipsec.conf.5')
| -rw-r--r-- | sbin/ipsecctl/ipsec.conf.5 | 33 |
1 files changed, 22 insertions, 11 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5 index 59f4731abaa..f7b81c72d4e 100644 --- a/sbin/ipsecctl/ipsec.conf.5 +++ b/sbin/ipsecctl/ipsec.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipsec.conf.5,v 1.101 2006/09/29 10:56:33 jmc Exp $ +.\" $OpenBSD: ipsec.conf.5,v 1.102 2006/10/19 08:41:18 jmc Exp $ .\" .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. .\" @@ -408,21 +408,32 @@ pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e pass in on sk0 proto esp from 192.168.3.2 to 192.168.3.1 pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2 -pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 -pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 -pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 -pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 + +pass in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e + keep state (if-bound) +pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e + keep state (if-bound) +pass in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e + keep state (if-bound) +pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e + keep state (if-bound) .Ed .Pp -Connections on enc0 for which state is being kept -should be interface bound, +.Xr pf 4 +is a stateful packet filter, +which means it can track the state of a connection. +It does this +.Em automatically . +States are normally +.Em floating , +which means they can match packets on any interface. +However this is a potential problem for filtering IPsec traffic: +states need to be interface bound, to avoid permitting unencrypted traffic should .Xr isakmpd 8 exit. -For example: -.Bd -literal -offset 3n -pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 keep state (if-bound) -.Ed +Therefore all rules on the enc0 interface should explicitly set +.Dq keep state (if-bound) . .Sh CRYPTO TRANSFORMS It is very important that keys are not guessable. One practical way of generating keys is to use |