xref: /illumos-gate/usr/src/cmd/cmd-inet/etc/ipsecinit.sample (revision dd72704bd9e794056c558153663c739e2012d721)
1#
2# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# CDDL HEADER START
6#
7# The contents of this file are subject to the terms of the
8# Common Development and Distribution License, Version 1.0 only
9# (the "License").  You may not use this file except in compliance
10# with the License.
11#
12# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
13# or http://www.opensolaris.org/os/licensing.
14# See the License for the specific language governing permissions
15# and limitations under the License.
16#
17# When distributing Covered Code, include this CDDL HEADER in each
18# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
19# If applicable, add the following below this CDDL HEADER, with the
20# fields enclosed by brackets "[]" replaced with your own identifying
21# information: Portions Copyright [yyyy] [name of copyright owner]
22#
23# CDDL HEADER END
24#
25# This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec
26# systemwide policy (and as a side-effect, load IPsec kernel modules).
27# Even if this file has no entries, IPsec will be loaded if
28# /etc/inet/ipsecinit.conf exists.
29#
30# Add entries to protect the traffic using IPSEC. The entries in this
31# file are currently configured using ipsecconf from inetinit script
32# after /usr is mounted.
33#
34# For example,
35#
36#	 {rport 23} ipsec {encr_algs des encr_auth_algs md5}
37#
38# Or, in the older (but still usable) syntax
39#
40#        {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared}
41#        {sport 23} permit {encr_algs des encr_auth_algs md5}
42#
43# will protect the telnet traffic originating from the host with ESP using
44# DES and MD5.  Also:
45#
46#	 {raddr 10.5.5.0/24} ipsec {auth_algs any}
47#
48# Or, in the older (but still usable) syntax
49#
50#        {daddr 10.5.5.0/24} apply {auth_algs any sa shared}
51#        {saddr 10.5.5.0/24} permit {auth_algs any}
52#
53# will protect traffic to/from the 10.5.5.0 subnet with AH using any available
54# algorithm.
55#
56# To do basic filtering, a drop rule may be used. For example:
57#
58#	 {lport 23 dir in} drop {}
59#	 {lport 23 dir out} drop {}
60#
61# will disallow any remote system from telnetting in.
62#
63# If you are using IPv6, it may be useful to bypass neighbor discovery
64# to allow in.iked to work properly with on-link neighbors. To do that,
65# add the following lines:
66#
67#	 {ulp ipv6-icmp type 133-137 dir both } pass { }
68#
69# This will allow neighbor discovery to work normally.
70#
71# WARNING:	This file is read before default routes are established, and
72#		before any naming services have been started.  The
73#		ipsecconf(8) command attempts to resolve names, but it will
74#		fail unless the machine uses files, or DNS and the DNS server
75#		is reachable via routing information before ipsecconf(8)
76#		invocation.  (E.g. the DNS server is on-subnet, or DHCP
77#		has loaded up the default router already.)
78#
79#		It is suggested that for this file, use hostnames only if
80#		they are in /etc/hosts, or use numeric IP addresses.
81#
82#		If DNS gets used, the DNS server is implicitly trusted, which
83#		could lead to compromise of this machine if the DNS server
84#		has been compromised.
85#
86