| blob | 76642506f2da57b9ad7ff9c931fd722d3771b72e |
1 #
2 #ident "%Z%%M% %I% %E% SMI"
3 #
4 # Copyright 2005 Sun Microsystems, Inc. All rights reserved.
5 # Use is subject to license terms.
6 #
7 # CDDL HEADER START
8 #
9 # The contents of this file are subject to the terms of the
10 # Common Development and Distribution License, Version 1.0 only
11 # (the "License"). You may not use this file except in compliance
12 # with the License.
13 #
14 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
15 # or http://www.opensolaris.org/os/licensing.
16 # See the License for the specific language governing permissions
17 # and limitations under the License.
18 #
19 # When distributing Covered Code, include this CDDL HEADER in each
20 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
21 # If applicable, add the following below this CDDL HEADER, with the
22 # fields enclosed by brackets "[]" replaced with your own identifying
23 # information: Portions Copyright [yyyy] [name of copyright owner]
24 #
25 # CDDL HEADER END
26 #
27 # This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec
28 # systemwide policy (and as a side-effect, load IPsec kernel modules).
29 # Even if this file has no entries, IPsec will be loaded if
30 # /etc/inet/ipsecinit.conf exists.
31 #
32 # Add entries to protect the traffic using IPSEC. The entries in this
33 # file are currently configured using ipsecconf from inetinit script
34 # after /usr is mounted.
35 #
36 # For example,
37 #
38 # {rport 23} ipsec {encr_algs des encr_auth_algs md5}
39 #
40 # Or, in the older (but still usable) syntax
41 #
42 # {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared}
43 # {sport 23} permit {encr_algs des encr_auth_algs md5}
44 #
45 # will protect the telnet traffic originating from the host with ESP using
46 # DES and MD5. Also:
47 #
48 # {raddr 10.5.5.0/24} ipsec {auth_algs any}
49 #
50 # Or, in the older (but still usable) syntax
51 #
52 # {daddr 10.5.5.0/24} apply {auth_algs any sa shared}
53 # {saddr 10.5.5.0/24} permit {auth_algs any}
54 #
55 # will protect traffic to/from the 10.5.5.0 subnet with AH using any available
56 # algorithm.
57 #
58 # To do basic filtering, a drop rule may be used. For example:
59 #
60 # {lport 23 dir in} drop {}
61 # {lport 23 dir out} drop {}
62 #
63 # will disallow any remote system from telnetting in.
64 #
65 # If you are using IPv6, it may be useful to bypass neighbor discovery
66 # to allow in.iked to work properly with on-link neighbors. To do that,
67 # add the following lines:
68 #
69 # {ulp ipv6-icmp type 133-137 dir both } pass { }
70 #
71 # This will allow neighbor discovery to work normally.
72 #
73 # WARNING: This file is read before default routes are established, and
74 # before any naming services have been started. The
75 # ipsecconf(1M) command attempts to resolve names, but it will
76 # fail unless the machine uses files, or DNS and the DNS server
77 # is reachable via routing information before ipsecconf(1m)
78 # invocation. (E.g. the DNS server is on-subnet, or DHCP
79 # has loaded up the default router already.)
80 #
81 # It is suggested that for this file, use hostnames only if
82 # they are in /etc/hosts, or use numeric IP addresses.
83 #
84 # If DNS gets used, the DNS server is implicitly trusted, which
85 # could lead to compromise of this machine if the DNS server
86 # has been compromised.
87 #