xref: /titanic_41/usr/src/cmd/cmd-inet/etc/ipsecinit.sample (revision d29b2c4438482eb00488be49a1f5d6835f455546)
1#
2#ident	"%Z%%M%	%I%	%E% SMI"
3#
4# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
5# Use is subject to license terms.
6#
7# CDDL HEADER START
8#
9# The contents of this file are subject to the terms of the
10# Common Development and Distribution License, Version 1.0 only
11# (the "License").  You may not use this file except in compliance
12# with the License.
13#
14# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
15# or http://www.opensolaris.org/os/licensing.
16# See the License for the specific language governing permissions
17# and limitations under the License.
18#
19# When distributing Covered Code, include this CDDL HEADER in each
20# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
21# If applicable, add the following below this CDDL HEADER, with the
22# fields enclosed by brackets "[]" replaced with your own identifying
23# information: Portions Copyright [yyyy] [name of copyright owner]
24#
25# CDDL HEADER END
26#
27# This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec
28# systemwide policy (and as a side-effect, load IPsec kernel modules).
29# Even if this file has no entries, IPsec will be loaded if
30# /etc/inet/ipsecinit.conf exists.
31#
32# Add entries to protect the traffic using IPSEC. The entries in this
33# file are currently configured using ipsecconf from inetinit script
34# after /usr is mounted.
35#
36# For example,
37#
38#	 {rport 23} ipsec {encr_algs des encr_auth_algs md5}
39#
40# Or, in the older (but still usable) syntax
41#
42#        {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared}
43#        {sport 23} permit {encr_algs des encr_auth_algs md5}
44#
45# will protect the telnet traffic originating from the host with ESP using
46# DES and MD5.  Also:
47#
48#	 {raddr 10.5.5.0/24} ipsec {auth_algs any}
49#
50# Or, in the older (but still usable) syntax
51#
52#        {daddr 10.5.5.0/24} apply {auth_algs any sa shared}
53#        {saddr 10.5.5.0/24} permit {auth_algs any}
54#
55# will protect traffic to/from the 10.5.5.0 subnet with AH using any available
56# algorithm.
57#
58# To do basic filtering, a drop rule may be used. For example:
59#
60#	 {lport 23 dir in} drop {}
61#	 {lport 23 dir out} drop {}
62#
63# will disallow any remote system from telnetting in.
64#
65# If you are using IPv6, it may be useful to bypass neighbor discovery
66# to allow in.iked to work properly with on-link neighbors. To do that,
67# add the following lines:
68#
69#	 {ulp ipv6-icmp type 133-137 dir both } pass { }
70#
71# This will allow neighbor discovery to work normally.
72#
73# WARNING:	This file is read before default routes are established, and
74#		before any naming services have been started.  The
75#		ipsecconf(1M) command attempts to resolve names, but it will
76#		fail unless the machine uses files, or DNS and the DNS server
77#		is reachable via routing information before ipsecconf(1m)
78#		invocation.  (E.g. the DNS server is on-subnet, or DHCP
79#		has loaded up the default router already.)
80#
81#		It is suggested that for this file, use hostnames only if
82#		they are in /etc/hosts, or use numeric IP addresses.
83#
84#		If DNS gets used, the DNS server is implicitly trusted, which
85#		could lead to compromise of this machine if the DNS server
86#		has been compromised.
87#
88