diff options
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man4/bridge.4 | 43 | ||||
-rw-r--r-- | share/man/man4/enc.4 | 33 | ||||
-rw-r--r-- | share/man/man7/securelevel.7 | 13 | ||||
-rw-r--r-- | share/man/man8/vpn.8 | 105 |
4 files changed, 101 insertions, 93 deletions
diff --git a/share/man/man4/bridge.4 b/share/man/man4/bridge.4 index 8ece81932cf..6a275a2b867 100644 --- a/share/man/man4/bridge.4 +++ b/share/man/man4/bridge.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bridge.4,v 1.29 2000/12/30 21:57:21 angelos Exp $ +.\" $OpenBSD: bridge.4,v 1.30 2001/05/30 03:24:15 millert Exp $ .\" .\" Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) .\" All rights reserved. @@ -52,9 +52,10 @@ a transparent filter for .Xr ip 4 datagrams. .Pp -The bridges provided by this interface are learning bridges with -IP filtering, see -.Xr ipf 4 . +.\"XXX - replace with ipfw when it is in-tree +.\"The bridges provided by this interface are learning bridges with +.\"IP filtering, see +..\"Xr ipf 4 . In general a bridge works like a hub, forwarding traffic from one interface to another. It differs from a hub in that it will "learn" which machines @@ -79,16 +80,17 @@ bridge will forward the packet only to the destination segment. If the destination is on the same segment as the origin segment, the bridge will drop the packet because the receiver has already had a chance to see the frame. -Before forwarding a frame, the bridge will check to see if the packet -contains an -.Xr ip 4 -datagram; if so, the datagram is run through the -.Xr ipf 4 -interface so that it can be filtered. -Only the -.Xr ipf 4 -input rules for the source interface are checked with the datagram; -output rules have no effect. +.\"XXX - replace with ipfw when it is in-tree +.\"Before forwarding a frame, the bridge will check to see if the packet +.\"contains an +.\".Xr ip 4 +.\"datagram; if so, the datagram is run through the +.\".Xr ipf 4 +.\"interface so that it can be filtered. +.\"Only the +.\".Xr ipf 4 +.\"input rules for the source interface are checked with the datagram; +.\"output rules have no effect. .Sh IOCTLS A .Nm @@ -518,7 +520,7 @@ No such member interface in the bridge. .Xr ioctl 2 , .Xr gif 4 , .Xr ip 4 , -.Xr ipf 4 , +.\".Xr ipf 4 , .Xr netintro 4 , .Xr bridgename.if 5 , .Xr brconfig 8 @@ -542,8 +544,9 @@ kernel interface first appeared in There is currently no loop detection. Care must be taken to ensure that loops are not created when a bridge is brought up. -.Pp -Only -.Xr ipf 4 -input rules are checked with incoming packet; there is no easy way to -handle output rules. +.\"XXX - replace with ipfw when it is in-tree +.\".Pp +.\"Only +.\".Xr ipf 4 +.\"input rules are checked with incoming packet; there is no easy way to +.\"handle output rules. diff --git a/share/man/man4/enc.4 b/share/man/man4/enc.4 index 382b1a1c02b..8d2d4f68134 100644 --- a/share/man/man4/enc.4 +++ b/share/man/man4/enc.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: enc.4,v 1.11 2001/03/25 22:32:45 angelos Exp $ +.\" $OpenBSD: enc.4,v 1.12 2001/05/30 03:24:16 millert Exp $ .\" .Dd October 7, 1999 .Dt ENC 4 @@ -9,21 +9,24 @@ .Sh SYNOPSIS .Cd "pseudo-device enc 4" .Sh DESCRIPTION +.\"XXX - replace with ipfw when it is in-tree +.\"The +.\".Nm +.\"interface is a software loopback mechanism that allows hosts or +.\"firewalls to filter +.\".Xr ipsec 4 +.\"traffic using +.\".Xr ipf 5 . +.\"The +.\".Xr vpn 8 +.\"manpage shows an example of such a setup. +.\".Pp +.\"The other use of the +.\"XXX The .Nm -interface is a software loopback mechanism that allows hosts or -firewalls to filter -.Xr ipsec 4 -traffic using -.Xr ipf 5 . -The -.Xr vpn 8 -manpage shows an example of such a setup. -.Pp -The other use of the -.Nm -interface is to allow an administrator to see outgoing packets before -they have been processed by +interface is a software loopback mechanism that allows an administrator +to see outgoing packets before they have been processed by .Xr ipsec 4 , or incoming packets after they have been similarly processed, via .Xr tcpdump 8 . @@ -52,5 +55,5 @@ or all incoming packets after they have been similarly processed: .Xr inet 4 , .Xr ipsec 4 , .Xr netintro 4 , -.Xr ipf 5 , +.\".Xr ipf 5 , .Xr vpn 8 diff --git a/share/man/man7/securelevel.7 b/share/man/man7/securelevel.7 index 878f9df2774..d4b523e6108 100644 --- a/share/man/man7/securelevel.7 +++ b/share/man/man7/securelevel.7 @@ -1,4 +1,4 @@ -.\" $OpenBSD: securelevel.7,v 1.11 2001/05/01 18:31:43 aaron Exp $ +.\" $OpenBSD: securelevel.7,v 1.12 2001/05/30 03:24:16 millert Exp $ .\" .\" Copyright (c) 2000 Hugh Graham .\" @@ -82,11 +82,12 @@ raw disk devices are always read-only whether mounted or not .It .Xr settimeofday 2 may not set the time backwards -.It -.Xr ipf 8 -and -.Xr ipnat 8 -rules may not be altered +.\"XXX - replace with ipfw when it is in-tree +.\".It +.\".Xr ipf 8 +.\"and +.\".Xr ipnat 8 +.\"rules may not be altered .It the .Va ddb.console diff --git a/share/man/man8/vpn.8 b/share/man/man8/vpn.8 index 9459e67b6ac..8f0c059b325 100644 --- a/share/man/man8/vpn.8 +++ b/share/man/man8/vpn.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vpn.8,v 1.50 2001/03/01 16:11:24 aaron Exp $ +.\" $OpenBSD: vpn.8,v 1.51 2001/05/30 03:24:17 millert Exp $ .\" .\" Copyright 1998 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -262,54 +262,55 @@ authentication) start the daemon with debugging or verbose output. implements security policy using the .Em KeyNote trust management system. -.Ss Configuring Firewall Rules -.Xr ipf 8 -needs to be configured such that all packets from the outside are blocked -by default. -Only successfully IPsec-processed packets (from the -.Xr enc 4 -interface), or key management packets (for -.Xr photurisd 8 , -.Tn UDP -packets with source and destination ports of 468, and for -.Xr isakmpd 8 , -.Tn UDP -packets with source and destination ports of 500) should be allowed to pass. -.Pp -The -.Xr ipf 5 -rules for a tunnel which uses encryption (the ESP IPsec protocol) and +.\"XXX - replace with ipfw when it is in-tree +.\".Ss Configuring Firewall Rules +.\".Xr ipf 8 +.\"needs to be configured such that all packets from the outside are blocked +.\"by default. +.\"Only successfully IPsec-processed packets (from the +.\".Xr enc 4 +.\"interface), or key management packets (for +.\".Xr photurisd 8 , +.\".Tn UDP +.\"packets with source and destination ports of 468, and for +.\".Xr isakmpd 8 , +.\".Tn UDP +.\"packets with source and destination ports of 500) should be allowed to pass. +.\".Pp +.\"The +.\".Xr ipf 5 +.\"rules for a tunnel which uses encryption (the ESP IPsec protocol) and .Xr photurisd 8 -on security gateway A might look like this: -.Bd -literal -# ne0 is the only interface going to the outside. -block in log on ne0 from any to any -block out log on ne0 from any to any -block in log on enc0 from any to any -block out log on enc0 from any to any - -# Passing in encrypted traffic from security gateways -pass in proto esp from gatewB/32 to gatewA/32 -pass out proto esp from gatewA/32 to gatewB/32 - -# Passing in traffic from the designated subnets. -pass in on enc0 from netB/netBmask to netA/netAmask -pass out on enc0 from natA/netAmask to netB/netBmask - -# Passing in Photuris traffic from the security gateways -pass in on ne0 proto udp from gatewB/32 port = 468 to gatewA/32 port = 468 -pass out on ne0 proto udp from gatewA/32 port = 468 to gatewB/32 port = 468 -.Ed -.Pp -If there are no other -.Xr ipf 5 -rules, the "quick" clause can be added to the last four rules. -NAT rules can also be used on the -.Xr enc 4 -interface. -Note that it is strongly encouraged that instead of detailed IPF -rules, the SPD (IPsec flow database) be utilized to specify security -policy, if only to avoid filtering conflicts. +.\"on security gateway A might look like this: +.\".Bd -literal +.\"# ne0 is the only interface going to the outside. +.\"block in log on ne0 from any to any +.\"block out log on ne0 from any to any +.\"block in log on enc0 from any to any +.\"block out log on enc0 from any to any +.\" +.\"# Passing in encrypted traffic from security gateways +.\"pass in proto esp from gatewB/32 to gatewA/32 +.\"pass out proto esp from gatewA/32 to gatewB/32 +.\" +.\"# Passing in traffic from the designated subnets. +.\"pass in on enc0 from netB/netBmask to netA/netAmask +.\"pass out on enc0 from natA/netAmask to netB/netBmask +.\" +.\"# Passing in Photuris traffic from the security gateways +.\"pass in on ne0 proto udp from gatewB/32 port = 468 to gatewA/32 port = 468 +.\"pass out on ne0 proto udp from gatewA/32 port = 468 to gatewB/32 port = 468 +.\".Ed +.\".Pp +.\"If there are no other +.\".Xr ipf 5 +.\"rules, the "quick" clause can be added to the last four rules. +.\"NAT rules can also be used on the +.\".Xr enc 4 +.\"interface. +.\"Note that it is strongly encouraged that instead of detailed IPF +.\"rules, the SPD (IPsec flow database) be utilized to specify security +.\"policy, if only to avoid filtering conflicts. .Sh EXAMPLES .Ss Manual keying To create a manual keyed VPN between two class C networks using @@ -681,8 +682,8 @@ Sample VPN configuration file configuration file .It Pa /etc/photuris/photuris.conf Photuris configuration file -.It Pa /etc/ipf.rules -Firewall configuration file +.\".It Pa /etc/ipf.rules +.\"Firewall configuration file .El .Sh BUGS .Xr photurisd 8 @@ -696,8 +697,8 @@ or manual keying must be used. .Xr enc 4 , .Xr ipsec 4 , .Xr options 4 , -.Xr ipf 5 , -.Xr ipf 8 , +.\".Xr ipf 5 , +.\".Xr ipf 8 , .Xr ipsecadm 8 , .Xr sysctl 8 , .Xr openssl 1 , |