ipf ipsec

From: Otto Kucera <ok(at)72pixel.at>
Date: Fri, 11 Jun 2004 10:04:20 +0200

hallo!

ich hab problem beim ike unter ipsec die keys auszutauschen. das problem
hab ich auf meine packetfilter regeln isoliert die eigentlich passen
sollten.

auch herum googlen hat eigentlich ergeben das die soweit korekt sind.

mein ipf.rules:

##
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Interface: all
# Block all incoming and outgoing packets unless they're allowed later.
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
block in log all
block out log all
# -------------------------------------------------------------------------
# Interface: lo0
# Allow loopback to flow freely.
# -------------------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
# -------------------------------------------------------------------------

# -------------------------------------------------------------------------
# Interface: gif0 (ipsec)
# Allow internal traffic to flow freely.
# -------------------------------------------------------------------------
pass in quick on gif0 all
pass out quick on gif0 all
pass in quick on gif1 all
pass out quick on gif1 all
pass in quick on gif2 all
pass out quick on gif2 all
# -------------------------------------------------------------------------

# -------------------------------------------------------------------------
# L A N
# -------------------------------------------------------------------------
pass in quick on xl1 all
pass out quick on xl1 all
# -------------------------------------------------------------------------

#
=======================================================================================
# W A N NEXTRA·
#
=======================================================================================

# Allow all outgoing traffic
pass out on xl0 proto tcp from any to any keep frags keep state
pass out on xl0 proto udp from any to any keep frags keep state
pass out on xl0 proto icmp from any to any keep frags keep state

# [ping]
pass in quick on xl0 proto icmp from any to any icmp-type 3 keep state
keep frags
pass in quick on xl0 proto icmp from any to any icmp-type 11 keep state
keep frags
pass in quick on xl0 proto icmp from any to any icmp-type 8 keep state
keep frags

#Allow DNS lookups·
pass in quick on xl0 proto udp from any to any port = 53 keep state keep
frags·
pass out quick on xl0 proto udp from any to any port = 53 keep state
keep frags
pass in quick on xl0 proto tcp from 213.235.197.80/29 to any port = 53
keep state keep frags
pass out quick on xl0 proto tcp from 213.235.197.80/29 to any port = 53
keep state keep frags

# [ IPSEC]
pass in on xl0 proto esp from any to any
pass out on xl0 proto esp from any to any
pass in on xl0 proto udp from any port = 500 to any port = 500
pass out on xl0 proto udp from any port = 500 to any port = 500
pass in on xl0 proto ipencap from any to any
pass out on xl0 proto ipencap from any to any
pass in on xl0 proto ah from any to any
pass out on xl0 proto ah from any to any

die passen doch eigentlich oder? sobald ich die filter deaktivere sind
die keys ausgetauscht.

otto

-- 
-----------------------------------
Otto Kucera
A-1020 Wien Engerthstrasse 137/6/7
Tel: +43 699 1 942 30 91 [neue Nummer!]
Email: ok(at)72pixel.at
Icq: 65351173
-----------------------------------
And root said rm -rf /     ......and there was nothing
*BSD is like a wigwam: NO windows, NO gates and an Apache inside!
Your mailserver MUST resolve properly (Fully Qualified Domain Name) or the
mail will not go through!
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
Received on Fri 11 Jun 2004 - 10:05:33 CEST

search this site