summaryrefslogtreecommitdiff
path: root/share/man/man8
diff options
context:
space:
mode:
Diffstat (limited to 'share/man/man8')
-rw-r--r--share/man/man8/vpn.8105
1 files changed, 53 insertions, 52 deletions
diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8
index 9459e67b6ac..8f0c059b325 100644
--- a/share/man/man8/vpn.8
+++ b/share/man/man8/vpn.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vpn.8,v 1.50 2001/03/01 16:11:24 aaron Exp $
+.\" $OpenBSD: vpn.8,v 1.51 2001/05/30 03:24:17 millert Exp $
.\"
.\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de>
.\" All rights reserved.
@@ -262,54 +262,55 @@ authentication) start the daemon with debugging or verbose output.
implements security policy using the
.Em KeyNote
trust management system.
-.Ss Configuring Firewall Rules
-.Xr ipf 8
-needs to be configured such that all packets from the outside are blocked
-by default.
-Only successfully IPsec-processed packets (from the
-.Xr enc 4
-interface), or key management packets (for
-.Xr photurisd 8 ,
-.Tn UDP
-packets with source and destination ports of 468, and for
-.Xr isakmpd 8 ,
-.Tn UDP
-packets with source and destination ports of 500) should be allowed to pass.
-.Pp
-The
-.Xr ipf 5
-rules for a tunnel which uses encryption (the ESP IPsec protocol) and
+.\"XXX - replace with ipfw when it is in-tree
+.\".Ss Configuring Firewall Rules
+.\".Xr ipf 8
+.\"needs to be configured such that all packets from the outside are blocked
+.\"by default.
+.\"Only successfully IPsec-processed packets (from the
+.\".Xr enc 4
+.\"interface), or key management packets (for
+.\".Xr photurisd 8 ,
+.\".Tn UDP
+.\"packets with source and destination ports of 468, and for
+.\".Xr isakmpd 8 ,
+.\".Tn UDP
+.\"packets with source and destination ports of 500) should be allowed to pass.
+.\".Pp
+.\"The
+.\".Xr ipf 5
+.\"rules for a tunnel which uses encryption (the ESP IPsec protocol) and
.Xr photurisd 8
-on security gateway A might look like this:
-.Bd -literal
-# ne0 is the only interface going to the outside.
-block in log on ne0 from any to any
-block out log on ne0 from any to any
-block in log on enc0 from any to any
-block out log on enc0 from any to any
-
-# Passing in encrypted traffic from security gateways
-pass in proto esp from gatewB/32 to gatewA/32
-pass out proto esp from gatewA/32 to gatewB/32
-
-# Passing in traffic from the designated subnets.
-pass in on enc0 from netB/netBmask to netA/netAmask
-pass out on enc0 from natA/netAmask to netB/netBmask
-
-# Passing in Photuris traffic from the security gateways
-pass in on ne0 proto udp from gatewB/32 port = 468 to gatewA/32 port = 468
-pass out on ne0 proto udp from gatewA/32 port = 468 to gatewB/32 port = 468
-.Ed
-.Pp
-If there are no other
-.Xr ipf 5
-rules, the "quick" clause can be added to the last four rules.
-NAT rules can also be used on the
-.Xr enc 4
-interface.
-Note that it is strongly encouraged that instead of detailed IPF
-rules, the SPD (IPsec flow database) be utilized to specify security
-policy, if only to avoid filtering conflicts.
+.\"on security gateway A might look like this:
+.\".Bd -literal
+.\"# ne0 is the only interface going to the outside.
+.\"block in log on ne0 from any to any
+.\"block out log on ne0 from any to any
+.\"block in log on enc0 from any to any
+.\"block out log on enc0 from any to any
+.\"
+.\"# Passing in encrypted traffic from security gateways
+.\"pass in proto esp from gatewB/32 to gatewA/32
+.\"pass out proto esp from gatewA/32 to gatewB/32
+.\"
+.\"# Passing in traffic from the designated subnets.
+.\"pass in on enc0 from netB/netBmask to netA/netAmask
+.\"pass out on enc0 from natA/netAmask to netB/netBmask
+.\"
+.\"# Passing in Photuris traffic from the security gateways
+.\"pass in on ne0 proto udp from gatewB/32 port = 468 to gatewA/32 port = 468
+.\"pass out on ne0 proto udp from gatewA/32 port = 468 to gatewB/32 port = 468
+.\".Ed
+.\".Pp
+.\"If there are no other
+.\".Xr ipf 5
+.\"rules, the "quick" clause can be added to the last four rules.
+.\"NAT rules can also be used on the
+.\".Xr enc 4
+.\"interface.
+.\"Note that it is strongly encouraged that instead of detailed IPF
+.\"rules, the SPD (IPsec flow database) be utilized to specify security
+.\"policy, if only to avoid filtering conflicts.
.Sh EXAMPLES
.Ss Manual keying
To create a manual keyed VPN between two class C networks using
@@ -681,8 +682,8 @@ Sample VPN configuration file
configuration file
.It Pa /etc/photuris/photuris.conf
Photuris configuration file
-.It Pa /etc/ipf.rules
-Firewall configuration file
+.\".It Pa /etc/ipf.rules
+.\"Firewall configuration file
.El
.Sh BUGS
.Xr photurisd 8
@@ -696,8 +697,8 @@ or manual keying must be used.
.Xr enc 4 ,
.Xr ipsec 4 ,
.Xr options 4 ,
-.Xr ipf 5 ,
-.Xr ipf 8 ,
+.\".Xr ipf 5 ,
+.\".Xr ipf 8 ,
.Xr ipsecadm 8 ,
.Xr sysctl 8 ,
.Xr openssl 1 ,