summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2006-12-12 21:20:03 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2006-12-12 21:20:03 +0000
commitcd866cbd96c21d51b3fa4c3d76d66a7e899f7b80 (patch)
treee661dff113c8a4ce853597775ddfbe3b36f4a2d9 /sbin
parent33ba4fbb9ecc53c0a136cbb81a52fe2515d12fbc (diff)
a rewrite of enc.4, hopefully a little more useful than what we previously
had; more can go in here, so feel free... many thanks to ho for feedback, and angelos and cedric who i harangued endlessly to explain nat/ipsec to me; the ipsec.conf.5 change just moves some stuff more appropriate to enc.4; ok hshoexer
Diffstat (limited to 'sbin')
-rw-r--r--sbin/ipsecctl/ipsec.conf.522
1 files changed, 5 insertions, 17 deletions
diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 2821997eca5..73ce74b8437 100644
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsec.conf.5,v 1.108 2006/12/06 09:54:15 jmc Exp $
+.\" $OpenBSD: ipsec.conf.5,v 1.109 2006/12/12 21:20:02 jmc Exp $
.\"
.\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved.
.\"
@@ -428,6 +428,10 @@ on the external interface.
.It enc0
Interface for outgoing traffic before it's been encapsulated,
and incoming traffic after it's been decapsulated.
+State on this interface should be interface bound;
+see
+.Xr enc 4
+for further information.
.It proto ipencap
[tunnel mode only]
IP-in-IP traffic flowing between gateways
@@ -472,22 +476,6 @@ pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e
.Ed
.Pp
.Xr pf 4
-is a stateful packet filter,
-which means it can track the state of a connection.
-It does this
-.Em automatically .
-States are normally
-.Em floating ,
-which means they can match packets on any interface.
-However this is a potential problem for filtering IPsec traffic:
-states need to be interface bound,
-to avoid permitting unencrypted traffic should
-.Xr isakmpd 8
-exit.
-Therefore all rules on the enc0 interface should explicitly set
-.Dq keep state (if-bound) .
-.Pp
-.Xr pf 4
has the ability to filter IPsec-related packets
based on an arbitrary
.Em tag