1 # 2 #ident "%Z%%M% %I% %E% SMI" 3 # 4 # Copyright 2005 Sun Microsystems, Inc. All rights reserved. 5 # Use is subject to license terms. 6 # 7 # CDDL HEADER START 8 # 9 # The contents of this file are subject to the terms of the 10 # Common Development and Distribution License, Version 1.0 only 11 # (the "License"). You may not use this file except in compliance 12 # with the License. 13 # 14 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 15 # or http://www.opensolaris.org/os/licensing. 16 # See the License for the specific language governing permissions 17 # and limitations under the License. 18 # 19 # When distributing Covered Code, include this CDDL HEADER in each 20 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. 21 # If applicable, add the following below this CDDL HEADER, with the 22 # fields enclosed by brackets "[]" replaced with your own identifying 23 # information: Portions Copyright [yyyy] [name of copyright owner] 24 # 25 # CDDL HEADER END 26 # 27 # This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec 28 # systemwide policy (and as a side-effect, load IPsec kernel modules). 29 # Even if this file has no entries, IPsec will be loaded if 30 # /etc/inet/ipsecinit.conf exists. 31 # 32 # Add entries to protect the traffic using IPSEC. The entries in this 33 # file are currently configured using ipsecconf from inetinit script 34 # after /usr is mounted. 35 # 36 # For example, 37 # 38 # {rport 23} ipsec {encr_algs des encr_auth_algs md5} 39 # 40 # Or, in the older (but still usable) syntax 41 # 42 # {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared} 43 # {sport 23} permit {encr_algs des encr_auth_algs md5} 44 # 45 # will protect the telnet traffic originating from the host with ESP using 46 # DES and MD5. Also: 47 # 48 # {raddr 10.5.5.0/24} ipsec {auth_algs any} 49 # 50 # Or, in the older (but still usable) syntax 51 # 52 # {daddr 10.5.5.0/24} apply {auth_algs any sa shared} 53 # {saddr 10.5.5.0/24} permit {auth_algs any} 54 # 55 # will protect traffic to/from the 10.5.5.0 subnet with AH using any available 56 # algorithm. 57 # 58 # To do basic filtering, a drop rule may be used. For example: 59 # 60 # {lport 23 dir in} drop {} 61 # {lport 23 dir out} drop {} 62 # 63 # will disallow any remote system from telnetting in. 64 # 65 # If you are using IPv6, it may be useful to bypass neighbor discovery 66 # to allow in.iked to work properly with on-link neighbors. To do that, 67 # add the following lines: 68 # 69 # {ulp ipv6-icmp type 133-137 dir both } pass { } 70 # 71 # This will allow neighbor discovery to work normally. 72 # 73 # WARNING: This file is read before default routes are established, and 74 # before any naming services have been started. The 75 # ipsecconf(1M) command attempts to resolve names, but it will 76 # fail unless the machine uses files, or DNS and the DNS server 77 # is reachable via routing information before ipsecconf(1m) 78 # invocation. (E.g. the DNS server is on-subnet, or DHCP 79 # has loaded up the default router already.) 80 # 81 # It is suggested that for this file, use hostnames only if 82 # they are in /etc/hosts, or use numeric IP addresses. 83 # 84 # If DNS gets used, the DNS server is implicitly trusted, which 85 # could lead to compromise of this machine if the DNS server 86 # has been compromised. 87 # 88
Indexes created Mon Nov 23 14:58:09 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.