[Openswan Users]
routing problems with suse 9.2 kernel 2.6.8-24.5-default
Martin Temmink
temmink at vrisned.com
Sun Dec 19 22:05:20 CET 2004
The tunnel established correct, but I cannot ping anything on the othersite.
My packets shows up in TCPDUMP as clear text and are not going through the
tunnel.
Who can give me a hint, or better a solution for this?
With kind regards,
Martin.
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/packages/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
#interfaces="ipsec=ppp0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
#klipsdebug=all
#plutodebug="control parsing"
#plutodebug=all
# Certificate Revocation List handling
# crlcheckinterval=600
# strictcrlpolicy=yes
# Change rp_filter setting, default = 0 (switch off)
# rp_filter= %unchanged
# Switch on NAT-Traversal (if patch is installed)
#nat_traversal=yes
Ipsec.conf
# default settings for connections
conn %default
# Default: %forever (try forever)
# keyingtries=3
# Sig keys (default: %dnsondemand)
leftrsasigkey=%cert
rightrsasigkey=%cert
authby=rsasig
disablearrivalcheck=no
#auto=add
compress=no
keyingtries=0
pfs=no
type=tunnel
# Lifetimes, defaults are 1h/8hrs
#ikelifetime=20m
#keylife=1h
#rekeymargin=8m
# Add connections here
# BALD VPN connection
conn net-to-net
left=xx.xx.x.217
leftsubnet=192.168.0.0/24
leftnexthop=xx.xx.x.1
leftsourceip=xx.xx.x.217
leftid=@xxxx
leftrsasigkey=dasfsdfsadfasdfasf
right=yy.yy.yy.227
rightsubnet=192.168.1.0/24
rightnexthop=yy.yy.yy.1
rightid=@linux
rightrsasigkey=dasfdasfsdfaf
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
ipsec barf
mail
Sun Dec 19 21:49:39 CET 2004
+ _________________________ version
+ ipsec --version
Linux Openswan U2.3.0dr4/K2.6.8-24.5-default (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.8-24.5-default (geeko at buildhost) (gcc version 3.3.4 (pre
3.3.5 20040809)) #1 Wed Nov 17 11:10:06 UTC 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
xx.xx.xx.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.1.0 XX.XX.XX.XX.1 255.255.255.0 UG 0 0 0
eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 XX.XX.XX.XX.1 0.0.0.0 UG 0 0 0
eth1
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
XX.XX.XX.XX yy.yy.yy.yy
esp mode=tunnel spi=1871039360(0x6f85cb80) reqid=16385(0x00004001)
E: 3des-cbc 270a3b96 cc2b5afb 4d631440 8ee3f845 162934b2 8ef5494b
A: hmac-md5 be56284d 6982559a b88760cf f74efcd7
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Dec 19 21:46:00 2004 current: Dec 19 21:49:39 2004
diff: 219(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=24238 refcnt=0
yy.yy.yy.yy XX.XX.XX.XX
esp mode=tunnel spi=3280816654(0xc38d4a0e) reqid=16385(0x00004001)
E: 3des-cbc bf127024 9c172d70 7a93413c bef72d48 b193e0fc fd5ef81c
A: hmac-md5 b67ad405 4466ec14 0129a59e c349e6a6
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Dec 19 21:46:00 2004 current: Dec 19 21:49:39 2004
diff: 219(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=24238 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
192.168.1.0/24[any] 192.168.0.0/24[any] any
in prio high + 1073739480 ipsec
esp/tunnel/yy.yy.yy.yy-XX.XX.XX.XX/unique#16385
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6120 seq=12 pid=24239
refcnt=1
192.168.0.0/24[any] 192.168.1.0/24[any] any
out prio high + 1073739480 ipsec
esp/tunnel/XX.XX.XX.XX-yy.yy.yy.yy/unique#16385
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6113 seq=11 pid=24239
refcnt=1
192.168.1.0/24[any] 192.168.0.0/24[any] any
fwd prio high + 1073739480 ipsec
esp/tunnel/yy.yy.yy.yy-XX.XX.XX.XX/unique#16385
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6130 seq=10 pid=24239
refcnt=1
::/0[any] ::/0[any] any
in none
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6099 seq=9 pid=24239
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6083 seq=8 pid=24239
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6067 seq=7 pid=24239
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6051 seq=6 pid=24239
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Dec 19 21:46:00 2004 lastused: Dec 19 21:46:14 2004
lifetime: 0(s) validtime: 0(s)
spid=6035 seq=5 pid=24239
refcnt=1
::/0[any] ::/0[any] any
out none
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6108 seq=4 pid=24239
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6092 seq=3 pid=24239
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6076 seq=2 pid=24239
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Dec 19 21:46:00 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6060 seq=1 pid=24239
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Dec 19 21:46:00 2004 lastused: Dec 19 21:46:01 2004
lifetime: 0(s) validtime: 0(s)
spid=6044 seq=0 pid=24239
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.100
000 interface eth0:1/eth0:1 10.168.0.100
000 interface eth1/eth1 XX.XX.XX.XX
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
trans={0,4,336} attrs={0,4,224}
000
000 "net-to-net":
192.168.0.0/24===XX.XX.XX.XX[@dongen]---XX.XX.XX.XX.1...82.162.16.1---yy.yy.
yy.yy[@linux]===192.168.1.0/24; erouted; eroute owner: #2
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+UP; prio: 24,24;
interface: eth1;
000 "net-to-net": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "net-to-net": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5,
5_000-2-2, flags=-strict
000 "net-to-net": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "net-to-net": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "net-to-net": ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "net-to-net": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000
000 #2: "net-to-net" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27771s; newest IPSEC; eroute owner
000 #2: "net-to-net" esp.6f85cb80 at yy.yy.yy.yy esp.c38d4a0e at XX.XX.XX.XX
tun.0 at yy.yy.yy.yy tun.0 at XX.XX.XX.XX
000 #1: "net-to-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 2381s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:60:97:D5:01:1C
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::260:97ff:fed5:11c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:602507 errors:0 dropped:0 overruns:0 frame:0
TX packets:749198 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:84340150 (80.4 Mb) TX bytes:359114268 (342.4 Mb)
Interrupt:7 Base address:0xc800
eth0:1 Link encap:Ethernet HWaddr 00:60:97:D5:01:1C
inet addr:10.168.0.100 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:7 Base address:0xc800
eth1 Link encap:Ethernet HWaddr 00:10:4B:0A:29:B6
inet addr:XX.XX.XX.XX Bcast:62.216.8.255 Mask:255.255.255.0
inet6 addr: fe80::210:4bff:fe0a:29b6/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:839758 errors:0 dropped:0 overruns:0 frame:0
TX packets:788392 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:362347052 (345.5 Mb) TX bytes:175852432 (167.7 Mb)
Interrupt:5 Base address:0xcc00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:156783 errors:0 dropped:0 overruns:0 frame:0
TX packets:156783 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:27430741 (26.1 Mb) TX bytes:27430741 (26.1 Mb)
sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:60:97:d5:01:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.100/24 brd 192.168.0.255 scope global eth0
inet 10.168.0.100/24 brd 10.255.255.255 scope global eth0:1
inet6 fe80::260:97ff:fed5:11c/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:10:4b:0a:29:b6 brd ff:ff:ff:ff:ff:ff
inet XX.XX.XX.XX/24 brd 62.216.8.255 scope global eth1
inet6 fe80::210:4bff:fe0a:29b6/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noqueue
link/sit 0.0.0.0 brd 0.0.0.0
+ _________________________ ip-route-list
+ ip route list
xx.xx.xx.0/24 dev eth1 proto kernel scope link src XX.XX.XX.XX
192.168.1.0/24 via XX.XX.XX.XX.1 dev eth1 src XX.XX.XX.XX
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.100
10.168.0.0/24 dev eth0 proto kernel scope link src 10.168.0.100
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via XX.XX.XX.XX.1 dev eth1
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.3.0dr4/K2.6.8-24.5-default (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: mail
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 217.8.216.62.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ '[' -x /usr/sbin/mii-tool ']'
+ mii-tool -v
/usr/local/libexec/ipsec/barf: line 209: mii-tool: command not found
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
mail.vrisned.com
+ _________________________ hostname/ipaddress
+ hostname --ip-address
XX.XX.XX.XX
+ _________________________ uptime
+ uptime
9:50pm up 2 days 5:37, 2 users, load average: 0.02, 0.08, 0.07
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 24215 23858 17 0 2592 1232 wait S+ pts/1 0:00
\_ /bin/sh /usr/local/libexec/ipsec/barf
5 0 23995 1 23 0 2588 1192 wait S pts/1 0:00 /bin/sh
/usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal --keep_alive --force_keepalive
--disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri
--dump --opts --stderrlog --wait no --pre --post --log daemon.error
--pid /var/run/pluto.pid
5 0 23996 23995 23 0 2588 1216 wait S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal --keep_alive --force_keepalive
--disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri
--dump --opts --stderrlog --wait no --pre --post --log daemon.error
--pid /var/run/pluto.pid
4 0 24005 23996 17 0 2352 1208 - S pts/1 0:00 | \_
/usr/lib/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir
/etc/ipsec.d --uniqueids
4 0 24030 24005 18 0 1312 276 - S pts/1 0:00 |
\_ _pluto_adns
4 0 23997 23995 16 0 2592 1188 pipe_w S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 23998 1 16 0 1596 556 pipe_w S pts/1 0:00 logger -s
-p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=eth1
routevirt=ipsec0
routeaddr=XX.XX.XX.XX
routenexthop=XX.XX.XX.XX.1
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/packages/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
#interfaces="ipsec=ppp0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
#klipsdebug=all
#plutodebug="control parsing"
#plutodebug=all
# Certificate Revocation List handling
# crlcheckinterval=600
# strictcrlpolicy=yes
# Change rp_filter setting, default = 0 (switch off)
rp_filter= 1
#%unchanged
# Switch on NAT-Traversal (if patch is installed)
#nat_traversal=yes
# default settings for connections
conn %default
# Default: %forever (try forever)
# keyingtries=3
# Sig keys (default: %dnsondemand)
leftrsasigkey=%cert
rightrsasigkey=%cert
authby=rsasig
disablearrivalcheck=no
#auto=add
compress=no
keyingtries=0
pfs=no
type=tunnel
# Lifetimes, defaults are 1h/8hrs
#ikelifetime=20m
#keylife=1h
#rekeymargin=8m
# Add connections here
# BALD VPN connection
conn net-to-net
left=XX.XX.XX.XX
leftsubnet=192.168.0.0/24
leftnexthop=XX.XX.XX.XX.1
leftsourceip=XX.XX.XX.XX
#leftnexthop=%defaultroute
leftid=@dongen
leftrsasigkey=[keyid AQOttvu/r]
right=yy.yy.yy.yy
rightsubnet=192.168.1.0/24
rightnexthop=82.162.16.1
rightid=@linux
rightrsasigkey=[keyid AQN++1Coz]
auto=start
#Disable Opportunistic Encryption
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 68
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits dongen Tue Dec 14 22:43:53 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOttvu/r]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Dec 19 21:46:00 2004, 2192 RSA Key AQN++1Coz, until --- -- --:--:-- ----
ok (expires never)
000 ID_FQDN '@linux'
000 Dec 19 21:46:00 2004, 2192 RSA Key AQOttvu/r, until --- -- --:--:-- ----
ok (expires never)
000 ID_FQDN '@dongen'
000
000 List of X.509 CA Certificates:
000
000 Dec 19 21:45:59 2004, count: 1
000 subject: 'C=NL, ST=Brabant, L=Dongen, O=Bald b.v., OU=security,
CN=CA Bald, E=ca at bald.nl'
000 issuer: 'C=NL, ST=Brabant, L=Dongen, O=Bald b.v., OU=security,
CN=CA Bald, E=ca at bald.nl'
000 serial: 00
000 pubkey: 1024 RSA Key AwEAAbNrZ
000 validity: not before Dec 12 20:26:12 2004 ok
000 not after Dec 12 20:26:12 2005 ok
000 subjkey:
37:70:59:61:79:0f:67:e9:84:89:0e:e3:be:a9:ad:26:36:a4:cd:22
000 authkey:
37:70:59:61:79:0f:67:e9:84:89:0e:e3:be:a9:ad:26:36:a4:cd:22
000 aserial: 00
+ '[' /etc/ipsec.d/policies ']'
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
+ for policy in '$POLICIES/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/packages/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 212
-rwxr-xr-x 1 root root 15468 Dec 17 23:59 _confread
-rwxr-xr-x 1 root root 15468 Dec 17 23:58 _confread.old
-rwxr-xr-x 1 root root 16356 Dec 17 23:59 _copyright
-rwxr-xr-x 1 root root 16356 Dec 17 23:58 _copyright.old
-rwxr-xr-x 1 root root 2379 Dec 17 23:59 _include
-rwxr-xr-x 1 root root 2379 Dec 17 23:58 _include.old
-rwxr-xr-x 1 root root 1475 Dec 17 23:59 _keycensor
-rwxr-xr-x 1 root root 1475 Dec 17 23:58 _keycensor.old
-rwxr-xr-x 1 root root 3586 Dec 17 23:59 _plutoload
-rwxr-xr-x 1 root root 3586 Dec 17 23:58 _plutoload.old
-rwxr-xr-x 1 root root 7307 Dec 17 23:59 _plutorun
-rwxr-xr-x 1 root root 7307 Dec 17 23:58 _plutorun.old
-rwxr-xr-x 1 root root 11405 Dec 17 23:59 _realsetup
-rwxr-xr-x 1 root root 11405 Dec 17 23:58 _realsetup.old
-rwxr-xr-x 1 root root 1975 Dec 17 23:59 _secretcensor
-rwxr-xr-x 1 root root 1975 Dec 17 23:58 _secretcensor.old
-rwxr-xr-x 1 root root 9283 Dec 17 23:59 _startklips
-rwxr-xr-x 1 root root 9283 Dec 17 23:58 _startklips.old
-rwxr-xr-x 1 root root 12329 Dec 17 23:59 _updown
-rwxr-xr-x 1 root root 12329 Dec 17 23:58 _updown.old
-rwxr-xr-x 1 root root 7572 Dec 17 23:59 _updown_x509
-rwxr-xr-x 1 root root 7572 Dec 17 23:58 _updown_x509.old
-rwxr-xr-x 1 root root 1942 Dec 17 23:59 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 5632
-rwxr-xr-x 1 root root 26150 Dec 17 23:59 _pluto_adns
-rwxr-xr-x 1 root root 26150 Dec 17 23:58 _pluto_adns.old
-rwxr-xr-x 1 root root 18840 Dec 17 23:59 auto
-rwxr-xr-x 1 root root 18840 Dec 17 23:58 auto.old
-rwxr-xr-x 1 root root 10463 Dec 17 23:59 barf
-rwxr-xr-x 1 root root 10463 Dec 17 23:58 barf.old
-rwxr-xr-x 1 root root 816 Dec 17 23:59 calcgoo
-rwxr-xr-x 1 root root 816 Dec 17 23:58 calcgoo.old
-rwxr-xr-x 1 root root 182632 Dec 17 23:59 eroute
-rwxr-xr-x 1 root root 182632 Dec 17 23:58 eroute.old
-rwxr-xr-x 1 root root 59821 Dec 17 23:59 ikeping
-rwxr-xr-x 1 root root 59821 Dec 17 23:58 ikeping.old
-rwxr-xr-x 1 root root 116601 Dec 17 23:59 klipsdebug
-rwxr-xr-x 1 root root 116601 Dec 17 23:58 klipsdebug.old
-rwxr-xr-x 1 root root 1664 Dec 17 23:59 livetest
-rwxr-xr-x 1 root root 1664 Dec 17 23:58 livetest.old
-rwxr-xr-x 1 root root 2461 Dec 17 23:59 look
-rwxr-xr-x 1 root root 2461 Dec 17 23:58 look.old
-rwxr-xr-x 1 root root 7130 Dec 17 23:59 mailkey
-rwxr-xr-x 1 root root 7130 Dec 17 23:58 mailkey.old
-rwxr-xr-x 1 root root 15931 Dec 17 23:59 manual
-rwxr-xr-x 1 root root 15931 Dec 17 23:58 manual.old
-rwxr-xr-x 1 root root 1874 Dec 17 23:59 newhostkey
-rwxr-xr-x 1 root root 1874 Dec 17 23:58 newhostkey.old
-rwxr-xr-x 1 root root 106008 Dec 17 23:59 pf_key
-rwxr-xr-x 1 root root 106008 Dec 17 23:58 pf_key.old
-rwxr-xr-x 1 root root 1549759 Dec 17 23:59 pluto
-rwxr-xr-x 1 root root 1549759 Dec 17 23:58 pluto.old
-rwxr-xr-x 1 root root 22956 Dec 17 23:59 ranbits
-rwxr-xr-x 1 root root 22956 Dec 17 23:58 ranbits.old
-rwxr-xr-x 1 root root 50143 Dec 17 23:59 rsasigkey
-rwxr-xr-x 1 root root 50143 Dec 17 23:58 rsasigkey.old
-rwxr-xr-x 1 root root 766 Dec 17 23:59 secrets
-rwxr-xr-x 1 root root 766 Dec 17 23:58 secrets.old
-rwxr-xr-x 1 root root 17602 Dec 17 23:59 send-pr
-rwxr-xr-x 1 root root 17602 Dec 17 23:58 send-pr.old
lrwxrwxrwx 1 root root 22 Dec 17 23:59 setup -> /etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Dec 17 23:59 showdefaults
-rwxr-xr-x 1 root root 1048 Dec 17 23:58 showdefaults.old
-rwxr-xr-x 1 root root 4748 Dec 17 23:59 showhostkey
-rwxr-xr-x 1 root root 4748 Dec 17 23:58 showhostkey.old
-rwxr-xr-x 1 root root 297467 Dec 17 23:59 spi
-rwxr-xr-x 1 root root 297467 Dec 17 23:58 spi.old
-rwxr-xr-x 1 root root 151445 Dec 17 23:59 spigrp
-rwxr-xr-x 1 root root 151445 Dec 17 23:58 spigrp.old
-rwxr-xr-x 1 root root 25036 Dec 17 23:59 tncfg
-rwxr-xr-x 1 root root 25036 Dec 17 23:58 tncfg.old
-rwxr-xr-x 1 root root 10201 Dec 17 23:59 verify
-rwxr-xr-x 1 root root 10201 Dec 17 23:58 verify.old
-rwxr-xr-x 1 root root 114495 Dec 17 23:59 whack
-rwxr-xr-x 1 root root 114495 Dec 17 23:58 whack.old
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo:27432750 156803 0 0 0 0 0 0 27432750
156803 0 0 0 0 0 0
eth0:84393853 603029 0 0 0 0 0 0 359208502
749657 0 0 0 0 0 0
eth1:362385881 839821 0 0 0 0 0 0 175864049
788463 0 0 0 0 0 0
sit0: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask
MTU Window IRTT
eth1 0008D83E 00000000 0001 0 0 0
00FFFFFF 0 0 0
eth1 0001A8C0 0108D83E 0003 0 0 0
00FFFFFF 0 0 0
eth0 0000A8C0 00000000 0001 0 0 0
00FFFFFF 0 0 0
eth1 0001A80A 0108D83E 0002 0 0 0
00FFFFFF 0 0 0
eth0 0000A80A 00000000 0001 0 0 0
00FFFFFF 0 0 0
eth0 0000FEA9 00000000 0001 0 0 0
0000FFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF 0 0 0
eth1 00000000 0108D83E 0003 0 0 0
00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter
lo/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1
lo/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux mail 2.6.8-24.5-default #1 Wed Nov 17 11:10:06 UTC 2004 i686 i686 i386
GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.8-24.5-default) support detected '
native PFKEY (2.6.8-24.5-default) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/local/libexec/ipsec/barf: line 294: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ test -r /sbin/ipchains
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm_user 15492 0 - Live 0xe0ac9000
xfrm4_tunnel 4100 0 - Live 0xe0af4000
af_key 32400 0 - Live 0xe0b04000
vfat 13056 0 - Live 0xe0aff000
fat 43168 1 vfat, Live 0xe0b6e000
udf 84612 0 - Live 0xe0b89000
ipt_mark 1792 2 - Live 0xe0ac7000
ipt_multiport 2176 0 - Live 0xe0a9d000
ipt_MARK 2176 1 - Live 0xe0aa1000
ipcomp 7944 0 - Live 0xe0ab6000
ah4 6656 0 - Live 0xe09fb000
esp4 8320 2 - Live 0xe0b0d000
deflate 3840 0 - Live 0xe0a99000
zlib_deflate 22680 1 deflate, Live 0xe0b41000
twofish 42624 0 - Live 0xe0b49000
serpent 17280 0 - Live 0xe0ada000
aes_i586 39540 0 - Live 0xe0b2f000
blowfish 10752 0 - Live 0xe0ad6000
sha256 10112 0 - Live 0xe0ad2000
sha1 9984 0 - Live 0xe0ace000
crypto_null 2432 0 - Live 0xe0a7f000
nfsd 106824 5 - Live 0xe0b13000
exportfs 5632 1 nfsd, Live 0xe0ab9000
usbserial 26856 0 - Live 0xe0aec000
parport_pc 37824 0 - Live 0xe0ae1000
lp 10536 0 - Live 0xe0a18000
parport 37960 2 parport_pc,lp, Live 0xe0aa7000
nvram 8328 0 - Live 0xe0aa3000
speedstep_lib 4228 0 - Live 0xe0ab3000
freq_table 4356 0 - Live 0xe0a92000
processor 25640 0 - Live 0xe0abc000
ipt_TOS 2560 28 - Live 0xe0a90000
ipt_TCPMSS 4480 2 - Live 0xe0a8d000
ipt_MASQUERADE 3840 1 - Live 0xe0a95000
ip6t_LOG 6656 44 - Live 0xe0a81000
ip6t_limit 2432 44 - Live 0xe0a97000
ipt_LOG 6912 108 - Live 0xe09f5000
ipt_limit 2432 108 - Live 0xe0a8b000
ipt_policy 3328 0 - Live 0xe0a16000
ipt_pkttype 1792 2 - Live 0xe0a6f000
af_packet 20872 2 - Live 0xe0a84000
edd 10012 0 - Live 0xe0a1c000
ip6t_state 2048 31 - Live 0xe0a6d000
ip6_conntrack 38404 1 ip6t_state, Live 0xe0a71000
ipt_state 2176 106 - Live 0xe0a20000
ip6t_REJECT 7552 3 - Live 0xe0a61000
ipt_REJECT 6784 3 - Live 0xe0a5e000
iptable_mangle 2944 1 - Live 0xe09de000
iptable_filter 3072 1 - Live 0xe09e0000
ip6table_mangle 2688 0 - Live 0xe080f000
ip_nat_ftp 5232 0 - Live 0xe09f8000
iptable_nat 23980 3 ipt_MASQUERADE,ip_nat_ftp, Live 0xe09fe000
ip_conntrack_ftp 72624 1 ip_nat_ftp, Live 0xe09e2000
ip_conntrack 43512 5
ipt_MASQUERADE,ipt_state,ip_nat_ftp,iptable_nat,ip_conntrack_ftp, Live
0xe0973000
ip_tables 17664 15
ipt_mark,ipt_multiport,ipt_MARK,ipt_TOS,ipt_TCPMSS,ipt_MASQUERADE,ipt_LOG,ip
t_limit,ipt_policy,ipt_pkttype,ipt_state,ipt_REJECT,iptable_mangle,iptable_f
ilter,iptable_nat, Live 0xe096d000
ip6table_filter 2816 1 - Live 0xe0931000
ip6_tables 18816 6
ip6t_LOG,ip6t_limit,ip6t_state,ip6t_REJECT,ip6table_mangle,ip6table_filter,
Live 0xe0967000
ipv6 237312 42 ip6_conntrack,ip6t_REJECT, Live 0xe0a23000
joydev 9664 0 - Live 0xe081e000
sg 35872 0 - Live 0xe095d000
st 37404 0 - Live 0xe0952000
sd_mod 16912 0 - Live 0xe08fa000
sr_mod 16292 0 - Live 0xe0910000
scsi_mod 111052 4 sg,st,sd_mod,sr_mod, Live 0xe09c1000
ide_cd 38176 0 - Live 0xe0947000
cdrom 36508 2 sr_mod,ide_cd, Live 0xe093d000
intel_agp 21024 1 - Live 0xe0909000
agpgart 32168 1 intel_agp, Live 0xe0900000
uhci_hcd 29712 0 - Live 0xe084c000
subfs 7552 2 - Live 0xe0815000
evdev 8960 0 - Live 0xe0811000
dm_mod 54524 0 - Live 0xe083d000
usbcore 106724 4 usbserial,uhci_hcd, Live 0xe0915000
3c59x 37544 0 - Live 0xe0832000
ext3 115688 1 - Live 0xe0855000
jbd 61348 1 ext3, Live 0xe0822000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 515668 kB
MemFree: 132484 kB
Buffers: 8976 kB
Cached: 120908 kB
SwapCached: 21304 kB
Active: 312872 kB
Inactive: 37952 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515668 kB
LowFree: 132484 kB
SwapTotal: 1048784 kB
SwapFree: 1002620 kB
Dirty: 1164 kB
Writeback: 0 kB
Mapped: 231796 kB
Slab: 20288 kB
Committed_AS: 588348 kB
PageTables: 6528 kB
VmallocTotal: 507896 kB
VmallocUsed: 3544 kB
VmallocChunk: 504124 kB
HugePages_Total: 0
HugePages_Free: 0
Hugepagesize: 4096 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
+ zcat /proc/config.gz
+ egrep 'CONFIG_IPSEC|CONFIG_KLIPS|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
CONFIG_IP_VS=m
# CONFIG_IP_VS_DEBUG is not set
CONFIG_IP_VS_TAB_BITS=12
CONFIG_IP_VS_PROTO_TCP=y
CONFIG_IP_VS_PROTO_UDP=y
CONFIG_IP_VS_PROTO_ESP=y
CONFIG_IP_VS_PROTO_AH=y
CONFIG_IP_VS_RR=m
CONFIG_IP_VS_WRR=m
CONFIG_IP_VS_LC=m
CONFIG_IP_VS_WLC=m
CONFIG_IP_VS_LBLC=m
CONFIG_IP_VS_LBLCR=m
CONFIG_IP_VS_DH=m
CONFIG_IP_VS_SH=m
CONFIG_IP_VS_SED=m
CONFIG_IP_VS_NQ=m
CONFIG_IP_VS_FTP=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_NDISC_NEW=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_TUNNEL=m
CONFIG_IPV6_TUNNEL=m
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_POLICY=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
CONFIG_IP_NF_MATCH_SCTP=m
CONFIG_IP_NF_MATCH_CONNMARK=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_CONNMARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
# CONFIG_IP_NF_NAT_LOCAL is not set
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP6_NF_FTP=m
CONFIG_IP6_NF_QUEUE=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_LIMIT=m
CONFIG_IP6_NF_MATCH_MAC=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_MULTIPORT=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_POLICY=m
CONFIG_IP6_NF_MATCH_MARK=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AHESP=m
CONFIG_IP6_NF_MATCH_LENGTH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_CONNTRACK=m
CONFIG_IP6_NF_MATCH_STATE=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_MARK=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP_SCTP=m
CONFIG_IPX=m
# CONFIG_IPX_INTERN is not set
CONFIG_IPDDP=m
CONFIG_IPDDP_ENCAP=y
CONFIG_IPDDP_DECAP=y
CONFIG_IPPP_FILTER=y
CONFIG_IPMI_HANDLER=m
CONFIG_IPMI_PANIC_EVENT=y
CONFIG_IPMI_PANIC_STRING=y
CONFIG_IPMI_DEVICE_INTERFACE=m
CONFIG_IPMI_SI=m
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# /etc/syslog.conf - Configuration file for syslogd(8)
#
# For info about the format of this file, see "man syslog.conf".
#
#
#
# print most on tty10 and on the xconsole pipe
#
kern.warning;*.err;authpriv.none /dev/tty10
kern.warning;*.err;authpriv.none |/dev/xconsole
*.emerg *
# enable this, if you want that root is informed
# immediately, e.g. of logins
#*.alert root
#
# all email-messages in one file
#
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
#
# all news-messages
#
# these files are rotated and examined by "news.daily"
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
# enable this, if you want to keep all news messages
# in one file
#news.* -/var/log/news.all
#
# Warnings in one file
#
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
#
# save the rest in one file
#
*.*;mail.none;news.none -/var/log/messages
#
# enable this, if you want to keep all messages
# in one file
#*.* -/var/log/allmessages
#
# Some foreign boot scripts require local7
#
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 192.168.0.100
nameserver 62.216.31.50
nameserver 62.216.31.60
search local vrisned.com
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 24
drwxr-xr-x 3 root root 4096 Oct 21 07:24 2.6.5-7.108-default
drwxr-xr-x 3 root root 4096 Nov 17 21:48 scripts
drwxr-xr-x 2 root root 4096 Nov 17 21:48 2.6.8-override-default
drwxr-xr-x 3 root root 4096 Dec 15 17:12 precompiled
drwxr-xr-x 4 root root 4096 Dec 15 17:13 2.6.8-24-default
drwxr-xr-x 4 root root 4096 Dec 17 14:17 2.6.8-24.5-default
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c0295160 T netif_rx
c0295160 U netif_rx [ipv6]
c0295160 U netif_rx [3c59x]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.5-7.108-default:
2.6.8-24-default:
2.6.8-24.5-default:
2.6.8-override-default:
precompiled:
scripts:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '179,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ case "$1" in
+ cat
Dec 19 21:45:59 mail ipsec_setup: Starting Openswan IPsec
U2.3.0dr4/K2.6.8-24.5-default...
Dec 19 21:46:00 mail pluto[24005]: added connection description "net-to-net"
Dec 19 21:46:00 mail pluto[24005]: listening for IKE messages
Dec 19 21:46:00 mail pluto[24005]: adding interface eth1/eth1 XX.XX.XX.XX
Dec 19 21:46:00 mail pluto[24005]: adding interface eth0:1/eth0:1
10.168.0.100
Dec 19 21:46:00 mail pluto[24005]: adding interface eth0/eth0 192.168.0.100
Dec 19 21:46:00 mail pluto[24005]: adding interface lo/lo 127.0.0.1
Dec 19 21:46:00 mail pluto[24005]: adding interface lo/lo ::1
Dec 19 21:46:00 mail pluto[24005]: loading secrets from "/etc/ipsec.secrets"
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: initiating Main Mode
Dec 19 21:46:00 mail ipsec__plutorun: 104 "net-to-net" #1: STATE_MAIN_I1:
initiate
Dec 19 21:46:00 mail ipsec__plutorun: ...could not start conn "net-to-net"
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: I did not send a
certificate because I do not have one.
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: Peer ID is ID_FQDN:
'@linux'
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: ISAKMP SA established
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+UP {using isakmp#1}
Dec 19 21:46:01 mail pluto[24005]: "net-to-net" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 19 21:46:01 mail pluto[24005]: "net-to-net" #2: sent QI2, IPsec SA
established {ESP=>0x6f85cb80 <0xc38d4a0e}
Dec 19 21:46:14 mail pluto[24005]: "net-to-net" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x0a3d2b36) not found (maybe expired)
Dec 19 21:46:14 mail pluto[24005]: "net-to-net" #1: received and ignored
informational message
+ _________________________ plog
+ sed -n '167,$p' /var/log/messages
+ egrep -i pluto
+ case "$1" in
+ cat
Dec 19 21:45:59 mail ipsec__plutorun: Starting Pluto subsystem...
Dec 19 21:45:59 mail pluto[24005]: Starting Pluto (Openswan Version 2.2.0
X.509-1.5.4 PLUTO_USES_KEYRR)
Dec 19 21:45:59 mail pluto[24005]: including NAT-Traversal patch (Version
0.6c) [disabled]
Dec 19 21:45:59 mail pluto[24005]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec 19 21:45:59 mail pluto[24005]: Using Linux 2.6 IPsec interface code
Dec 19 21:45:59 mail pluto[24005]: Changing to directory
'/etc/ipsec.d/cacerts'
Dec 19 21:45:59 mail pluto[24005]: loaded CA cert file 'cacert.pem' (1237
bytes)
Dec 19 21:45:59 mail pluto[24005]: Changing to directory
'/etc/ipsec.d/aacerts'
Dec 19 21:45:59 mail pluto[24005]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Dec 19 21:45:59 mail pluto[24005]: Changing to directory '/etc/ipsec.d/crls'
Dec 19 21:45:59 mail pluto[24005]: Warning: empty directory
Dec 19 21:46:00 mail pluto[24005]: added connection description "net-to-net"
Dec 19 21:46:00 mail pluto[24005]: listening for IKE messages
Dec 19 21:46:00 mail pluto[24005]: adding interface eth1/eth1 XX.XX.XX.XX
Dec 19 21:46:00 mail pluto[24005]: adding interface eth0:1/eth0:1
10.168.0.100
Dec 19 21:46:00 mail pluto[24005]: adding interface eth0/eth0 192.168.0.100
Dec 19 21:46:00 mail pluto[24005]: adding interface lo/lo 127.0.0.1
Dec 19 21:46:00 mail pluto[24005]: adding interface lo/lo ::1
Dec 19 21:46:00 mail pluto[24005]: loading secrets from "/etc/ipsec.secrets"
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: initiating Main Mode
Dec 19 21:46:00 mail ipsec__plutorun: 104 "net-to-net" #1: STATE_MAIN_I1:
initiate
Dec 19 21:46:00 mail ipsec__plutorun: ...could not start conn "net-to-net"
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: I did not send a
certificate because I do not have one.
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: Peer ID is ID_FQDN:
'@linux'
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #1: ISAKMP SA established
Dec 19 21:46:00 mail pluto[24005]: "net-to-net" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+UP {using isakmp#1}
Dec 19 21:46:01 mail pluto[24005]: "net-to-net" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 19 21:46:01 mail pluto[24005]: "net-to-net" #2: sent QI2, IPsec SA
established {ESP=>0x6f85cb80 <0xc38d4a0e}
Dec 19 21:46:14 mail pluto[24005]: "net-to-net" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x0a3d2b36) not found (maybe expired)
Dec 19 21:46:14 mail pluto[24005]: "net-to-net" #1: received and ignored
informational message
+ _________________________ date
+ date
Sun Dec 19 21:50:14 CET 2004
IPTABLES -L:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state
RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_int all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_ext all -- anywhere anywhere
forward_int all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWD-ILL-ROUTING '
DROP all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.1.0/24 MARK match 0x1
ACCEPT all -- anywhere 192.168.1.0/24 MARK match 0x1
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp time-exceeded LOG level warning tcp-options ip-options
prefix `SFW2-OUT-TRACERT-ATTEMPT '
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
ACCEPT icmp -- anywhere anywhere icmp
port-unreachable
ACCEPT icmp -- anywhere anywhere icmp
fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp
network-prohibited
ACCEPT icmp -- anywhere anywhere icmp
host-prohibited
ACCEPT icmp -- anywhere anywhere icmp
communication-prohibited
DROP icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-OUT-ERROR '
Chain forward_dmz (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state NEW icmp
echo-request
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix
`SFW2-FWDdmz-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere state RELATED
icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG tcp -- anywhere woonkamer limit: avg
3/min burst 5 tcp dpt:4662 state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- anywhere woonkamer tcp dpt:4662
LOG tcp -- anywhere woonkamer limit: avg
3/min burst 5 tcp dpt:6881 state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- anywhere woonkamer tcp dpt:6881
LOG udp -- anywhere woonkamer limit: avg
3/min burst 5 udp dpt:rfa state NEW LOG level warning tcp-options ip-options
prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT udp -- anywhere woonkamer udp dpt:rfa
LOG tcp -- pp.pp.pp.pp.adsl.xs4all.nl woonkamer limit:
avg 3/min burst 5 tcp dpt:http state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- pp.pp.pp.pp.adsl.xs4all.nl woonkamer tcp
dpt:http
LOG tcp -- xx.xx.xx.xx woonkamer limit: avg 3/min burst
5 tcp dpt:http state NEW LOG level warning tcp-options ip-options prefix
`SFW2-FWDdmz-ACC-REVMASQ '
ACCEPT tcp -- xx.xx.xx.xx woonkamer tcp dpt:http
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options
ip-options prefix `SFW2-FWDdmz-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options
prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix
`SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options
prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp timestamp-request LOG level warning tcp-options
ip-options prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp address-mask-request LOG level warning tcp-options
ip-options prefix `SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix
`SFW2-FWDdmz-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWDdmz-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state
ESTABLISHED icmp echo-reply
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix
`SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere state RELATED
icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG tcp -- anywhere woonkamer limit: avg
3/min burst 5 tcp dpt:4662 state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere woonkamer tcp dpt:4662
LOG tcp -- anywhere woonkamer limit: avg
3/min burst 5 tcp dpt:6881 state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- anywhere woonkamer tcp dpt:6881
LOG udp -- anywhere woonkamer limit: avg
3/min burst 5 udp dpt:rfa state NEW LOG level warning tcp-options ip-options
prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT udp -- anywhere woonkamer udp dpt:rfa
LOG tcp -- pp.pp.pp.pp.adsl.xs4all.nl woonkamer limit:
avg 3/min burst 5 tcp dpt:http state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- pp.pp.pp.pp.adsl.xs4all.nl woonkamer tcp
dpt:http
LOG tcp -- xx.xx.xx.xx woonkamer limit: avg 3/min burst
5 tcp dpt:http state NEW LOG level warning tcp-options ip-options prefix
`SFW2-FWDext-ACC-REVMASQ '
ACCEPT tcp -- xx.xx.xx.xx woonkamer tcp dpt:http
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options
ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options
prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix
`SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options
prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp timestamp-request LOG level warning tcp-options
ip-options prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp address-mask-request LOG level warning tcp-options
ip-options prefix `SFW2-FWDext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix
`SFW2-FWDext-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWDext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state NEW icmp
echo-request
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix
`SFW2-FWDint-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere state RELATED
icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG tcp -- anywhere woonkamer limit: avg
3/min burst 5 tcp dpt:4662 state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- anywhere woonkamer tcp dpt:4662
LOG tcp -- anywhere woonkamer limit: avg
3/min burst 5 tcp dpt:6881 state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- anywhere woonkamer tcp dpt:6881
LOG udp -- anywhere woonkamer limit: avg
3/min burst 5 udp dpt:rfa state NEW LOG level warning tcp-options ip-options
prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT udp -- anywhere woonkamer udp dpt:rfa
LOG tcp -- pp.pp.pp.pp.adsl.xs4all.nl woonkamer limit:
avg 3/min burst 5 tcp dpt:http state NEW LOG level warning tcp-options
ip-options prefix `SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- pp.pp.pp.pp.adsl.xs4all.nl woonkamer tcp
dpt:http
LOG tcp -- xx.xx.xx.xx woonkamer limit: avg 3/min burst
5 tcp dpt:http state NEW LOG level warning tcp-options ip-options prefix
`SFW2-FWDint-ACC-REVMASQ '
ACCEPT tcp -- xx.xx.xx.xx woonkamer tcp dpt:http
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options
ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options
prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix
`SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options
prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp timestamp-request LOG level warning tcp-options
ip-options prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp address-mask-request LOG level warning tcp-options
ip-options prefix `SFW2-FWDint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix
`SFW2-FWDint-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWDint-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_dmz (0 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG tcp -- 10.7.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-ACC-TRUST '
ACCEPT tcp -- 10.7.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG udp -- 10.8.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-ACC-TRUST '
ACCEPT udp -- 10.8.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG icmp -- 10.8.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-ACC-TRUST '
ACCEPT icmp -- 10.8.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG tcp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-ACC-TRUST '
ACCEPT tcp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
LOG udp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-ACC-TRUST '
ACCEPT udp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
LOG icmp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-ACC-TRUST '
ACCEPT icmp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INdmz-ACC-HiTCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW udp dpts:1024:65535 LOG level warning tcp-options
ip-options prefix `SFW2-INdmz-ACC-HiUDP '
ACCEPT udp -- anywhere anywhere state NEW udp
dpts:1024:65535
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options
ip-options prefix `SFW2-INdmz-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options
prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options
prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp timestamp-request LOG level warning tcp-options
ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp address-mask-request LOG level warning tcp-options
ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INdmz-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_ext (1 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG tcp -- 10.7.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INext-ACC-TRUST '
ACCEPT tcp -- 10.7.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG udp -- 10.8.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INext-ACC-TRUST '
ACCEPT udp -- 10.8.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG icmp -- 10.8.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INext-ACC-TRUST '
ACCEPT icmp -- 10.8.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG tcp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INext-ACC-TRUST '
ACCEPT tcp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
LOG udp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INext-ACC-TRUST '
ACCEPT udp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
LOG icmp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INext-ACC-TRUST '
ACCEPT icmp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:ftp-data:ssh flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:ftp-data:ssh
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:re-mail-ck:domain flags:SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:re-mail-ck:domain
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:http:hosts2-ns flags:SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:http:hosts2-ns
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:pop3 flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:imap flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:isakmp flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:isakmp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:pptp flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:pptp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:hbci:6000 flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:hbci:6000
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ndmp flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
reject_func tcp -- anywhere anywhere tcp dpt:ident
state NEW
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-HiTCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:rmpp
ACCEPT udp -- anywhere anywhere udp dpt:1194
ACCEPT udp -- anywhere anywhere udp
dpts:terabase:6000
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW udp dpts:1024:65535 LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC-HiUDP '
ACCEPT udp -- anywhere anywhere state NEW udp
dpts:1024:65535
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options
ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options
prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options
prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp timestamp-request LOG level warning tcp-options
ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp address-mask-request LOG level warning tcp-options
ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp address-mask-reply
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix
`SFW2-INint-DROP-DEFLT-INV '
DROP all -- anywhere anywhere state INVALID
LOG tcp -- 10.7.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INint-ACC-TRUST '
ACCEPT tcp -- 10.7.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG udp -- 10.8.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INint-ACC-TRUST '
ACCEPT udp -- 10.8.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG icmp -- 10.8.0.0/16 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INint-ACC-TRUST '
ACCEPT icmp -- 10.8.0.0/16 anywhere state
NEW,RELATED,ESTABLISHED
LOG tcp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INint-ACC-TRUST '
ACCEPT tcp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
LOG udp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INint-ACC-TRUST '
ACCEPT udp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
LOG icmp -- 192.168.0.0/24 anywhere limit: avg
3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix
`SFW2-INint-ACC-TRUST '
ACCEPT icmp -- 192.168.0.0/24 anywhere state
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:isakmp flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INint-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:isakmp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INint-ACC-HiTCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:rmpp
ACCEPT udp -- anywhere anywhere udp
dpt:commplex-main
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW udp dpts:1024:65535 LOG level warning tcp-options
ip-options prefix `SFW2-INint-ACC-HiUDP '
ACCEPT udp -- anywhere anywhere state NEW udp
dpts:1024:65535
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options
ip-options prefix `SFW2-INint-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options
prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix
`SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options
prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp timestamp-request LOG level warning tcp-options
ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp address-mask-request LOG level warning tcp-options
ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix
`SFW2-INint-DROP-ICMP-CRIT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INint-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-proto-unreachable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041219/96282f0f/attachment-0001.htm
More information about the Users
mailing list