[Openswan Users] OpenS/WAN <-> freeS/WAN failure - routing problem?
Itai Tavor
itai at iinet.net.au
Thu Nov 11 21:19:48 CET 2004
Hi,
I used to run a tunnel between my home ADSL gateway (right) to an
office gateway (left). Both machines ran FC1 and FreeS/WAN 2.0.4. Then
I upgraded the home gateway to FC2, kernel 2.6.10-rc1 and OpenS/WAN
2.2.0, and now nothing works. The tunnel comes up fine but no
connections are possible in either direction. To my inexperienced eyes
it looks like a routing problem... if I do "right# route add -net
10.0.2.0 netmask 255.255.255.0 gw 10.0.1.1" I can ping left from right,
but not much else, and I can't get from left to right no matter what I
do. Can anyone please have a look and tell me what I'm doing wrong?
Both barfs attached, right first.
TIA, Itai
amber
Thu Nov 11 21:12:44 EST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.10-rc1 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.10-rc1 (root at amber) (gcc version 3.3.3 20040412 (Red
Hat Linux 3.3.3-7)) #7 Wed Nov 3 18:52:07 EST 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
203.55.229.88 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0
0 br0
10.0.2.0 210.229.239.65 255.255.255.0 UG 0 0
0 ppp0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0
0 ppp0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
210.229.239.65 203.217.34.219
esp mode=tunnel spi=17853040(0x01106a70) reqid=16385(0x00004001)
E: 3des-cbc 2245a365 a99b540c e0b9f21f 079a03ef 7d393ca4
d9403179
A: hmac-md5 fd8d914f 9973186a e4c0ae9e 6fe36980
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Nov 11 21:12:30 2004 current: Nov 11 21:12:44 2004
diff: 14(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=3736 refcnt=0
203.217.34.219 210.229.239.65
esp mode=tunnel spi=2776556976(0xa57ee5b0)
reqid=16385(0x00004001)
E: 3des-cbc ecb074f5 bea799bc c74258b7 7b8f660b a402a5dd
c23f3de3
A: hmac-md5 3b64b07c 51e11567 1454dec4 1e379262
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Nov 11 21:12:30 2004 current: Nov 11 21:12:44 2004
diff: 14(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=3736 refcnt=0
+ _________________________ setkey-D-P
+ setkey -D -P
10.0.2.0/24[any] 10.0.1.0/24[any] any
in ipsec
esp/tunnel/210.229.239.65-203.217.34.219/unique#16385
created: Nov 11 21:12:30 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=136 seq=8 pid=3737
refcnt=1
10.0.1.0/24[any] 10.0.2.0/24[any] any
out ipsec
esp/tunnel/203.217.34.219-210.229.239.65/unique#16385
created: Nov 11 21:12:30 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=153 seq=7 pid=3737
refcnt=1
10.0.2.0/24[any] 10.0.1.0/24[any] any
fwd ipsec
esp/tunnel/210.229.239.65-203.217.34.219/unique#16385
created: Nov 11 21:12:30 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=146 seq=6 pid=3737
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 11 21:12:06 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=123 seq=5 pid=3737
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 11 21:12:06 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=107 seq=4 pid=3737
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 11 21:12:06 2004 lastused: Nov 11 21:12:30 2004
lifetime: 0(s) validtime: 0(s)
spid=91 seq=3 pid=3737
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 11 21:12:06 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=132 seq=2 pid=3737
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 11 21:12:06 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=116 seq=1 pid=3737
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 11 21:12:06 2004 lastused: Nov 11 21:12:30 2004
lifetime: 0(s) validtime: 0(s)
spid=100 seq=0 pid=3737
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface br0/br0 10.0.1.1
000 interface ppp0/ppp0 203.217.34.219
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
trans={0,4,336} attrs={0,4,224}
000
000 "Tir-Na-Nogth-IM":
10.0.1.0/24===203.217.34.219[@amber.tir-na-nogth.net]...154.33.4.102--
-210.229.239.65[@edo.insentiv.co.jp]===10.0.2.0/24; erouted; eroute
owner: #2
000 "Tir-Na-Nogth-IM": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "Tir-Na-Nogth-IM": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: ppp0;
000 "Tir-Na-Nogth-IM": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "Tir-Na-Nogth-IM": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2, flags=-strict
000 "Tir-Na-Nogth-IM": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "Tir-Na-Nogth-IM": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "Tir-Na-Nogth-IM": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM": ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000
000 #2: "Tir-Na-Nogth-IM" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27832s; newest IPSEC; eroute owner
000 #2: "Tir-Na-Nogth-IM" esp.a57ee5b0 at 210.229.239.65
esp.1106a70 at 203.217.34.219 tun.0 at 210.229.239.65 tun.0 at 203.217.34.219
000 #1: "Tir-Na-Nogth-IM" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2624s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
br0 Link encap:Ethernet HWaddr 00:0E:A6:A1:3B:A3
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20284788 errors:0 dropped:0 overruns:0 frame:0
TX packets:38970143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3140422675 (2994.9 Mb) TX bytes:1388786295 (1324.4
Mb)
eth0 Link encap:Ethernet HWaddr 00:0E:A6:A1:3B:A3
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20405909 errors:0 dropped:63 overruns:0 frame:0
TX packets:38410804 errors:170 dropped:0 overruns:0
carrier:169
collisions:6609649 txqueuelen:1000
RX bytes:3467946702 (3307.2 Mb) TX bytes:1350246623 (1287.6
Mb)
Interrupt:9 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:02:44:47:8C:09
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15334449 errors:8 dropped:0 overruns:0 frame:0
TX packets:13354204 errors:0 dropped:0 overruns:0 carrier:0
collisions:43396 txqueuelen:1000
RX bytes:1754140827 (1672.8 Mb) TX bytes:2681495127 (2557.2
Mb)
Interrupt:11 Base address:0xd800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:15096 errors:0 dropped:0 overruns:0 frame:0
TX packets:15096 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1946922 (1.8 Mb) TX bytes:1946922 (1.8 Mb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:203.217.34.219 P-t-P:203.55.229.88
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:226399 errors:0 dropped:0 overruns:0 frame:0
TX packets:196868 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:74572984 (71.1 Mb) TX bytes:36763748 (35.0 Mb)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux Openswan U2.2.0/K2.6.10-rc1 (native)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Checking for 'setkey' command for native IPsec stack support
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: amber
[MISSING]
Does the machine have at least one non-private address?
[OK]
Looking for TXT in reverse dns zone: 219.34.217.203.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-HD, link ok
product info: vendor 00:00:20, model 32 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-HD 10baseT-HD
eth1: autonegotiation failed, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
amber.tir-na-nogth.net
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.0.1.1
+ _________________________ uptime
+ uptime
21:12:46 up 4 days, 3:36, 1 user, load average: 1.61, 1.50, 2.18
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
4 0 3717 3197 17 0 4084 960 wait S pts/2 0:00
\_ /bin/sh /usr/libexec/ipsec/barf
4 0 3805 3717 17 0 1508 396 pipe_w S pts/2 0:00
\_ egrep -i ppid|pluto|ipsec|klips
5 0 3572 1 20 0 2056 1032 wait S pts/2 0:00
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no
--pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 3573 3572 20 0 2056 1044 wait S pts/2 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no
--pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 3574 3573 15 0 2308 1040 - S pts/2 0:00 |
\_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-none --uniqueids
4 0 3609 3574 21 0 1320 192 - S pts/2 0:00 |
\_ _pluto_adns
4 0 3575 3572 16 0 2056 1020 pipe_w S pts/2 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 3576 1 20 0 1380 288 pipe_w S pts/2 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=ppp0
routevirt=ipsec0
routeaddr=203.217.34.219
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - OpenS/WAN IPsec configuration file
#
# amber.tir-na-nogth.net
#
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
#forwardcontrol=yes
uniqueids=yes
conn %default
keyingtries=3
#
# Tir-Na-Nog'th to Insentiv Media tunnel
#
# Left: IM Right: Tir-Na-Nog'th
#
conn Tir-Na-Nogth-IM
right=%defaultroute
rightsubnet=10.0.1.0/24
#rightupdown=/usr/lib/ipsec/_updown_imgfx
#
left=210.229.239.65
leftsubnet=10.0.2.0/24
leftnexthop=154.33.4.102
#
auto=add
authby=rsasig
rightid=@amber.tir-na-nogth.net
leftid=@edo.insentiv.co.jp
rightrsasigkey=[keyid AQN54+9zf]
leftrsasigkey=[keyid AQOrd0max]
#
#Disable Opportunistic Encryption
#
#< /etc/ipsec.d/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 44
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits amber.tir-na-nogth.net Fri Sep 24 10:51:07
2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQN/IxlHw]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Nov 11 21:12:06 2004, 2192 RSA Key AQN54+9zf, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@amber.tir-na-nogth.net'
000 Nov 11 21:12:06 2004, 2192 RSA Key AQOrd0max, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@edo.insentiv.co.jp'
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 140
-rwxr-xr-x 1 root root 15403 Sep 17 01:40 _confread
-rwxr-xr-x 1 root root 47492 Sep 17 01:40 _copyright
-rwxr-xr-x 1 root root 2379 Sep 17 01:40 _include
-rwxr-xr-x 1 root root 1475 Sep 17 01:40 _keycensor
-rwxr-xr-x 1 root root 3586 Sep 17 01:40 _plutoload
-rwxr-xr-x 1 root root 7167 Sep 17 01:40 _plutorun
-rwxr-xr-x 1 root root 10493 Sep 17 01:40 _realsetup
-rwxr-xr-x 1 root root 1975 Sep 17 01:40 _secretcensor
-rwxr-xr-x 1 root root 9016 Sep 17 01:40 _startklips
-rwxr-xr-x 1 root root 12313 Sep 17 01:40 _updown
-rwxr-xr-x 1 root root 7572 Sep 17 01:40 _updown_x509
-rwxr-xr-x 1 root root 1942 Sep 17 01:40 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 5096
-rwxr-xr-x 1 root root 70814 Sep 17 01:40 _pluto_adns
-rwxr-xr-x 1 root root 19220 Sep 17 01:40 auto
-rwxr-xr-x 1 root root 10248 Sep 17 01:40 barf
-rwxr-xr-x 1 root root 816 Sep 17 01:40 calcgoo
-rwxr-xr-x 1 root root 311083 Sep 17 01:40 eroute
-rwxr-xr-x 1 root root 182519 Sep 17 01:40 klipsdebug
-rwxr-xr-x 1 root root 2461 Sep 17 01:40 look
-rwxr-xr-x 1 root root 7124 Sep 17 01:40 mailkey
-rwxr-xr-x 1 root root 16188 Sep 17 01:40 manual
-rwxr-xr-x 1 root root 1874 Sep 17 01:40 newhostkey
-rwxr-xr-x 1 root root 164746 Sep 17 01:40 pf_key
-rwxr-xr-x 1 root root 2656271 Sep 17 01:40 pluto
-rwxr-xr-x 1 root root 55200 Sep 17 01:40 ranbits
-rwxr-xr-x 1 root root 81674 Sep 17 01:40 rsasigkey
-rwxr-xr-x 1 root root 766 Sep 17 01:40 secrets
-rwxr-xr-x 1 root root 17578 Sep 17 01:40 send-pr
lrwxr-xr-x 1 root root 22 Oct 29 09:29 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Sep 17 01:40 showdefaults
-rwxr-xr-x 1 root root 4364 Sep 17 01:40 showhostkey
-rwxr-xr-x 1 root root 498713 Sep 17 01:40 spi
-rwxr-xr-x 1 root root 250823 Sep 17 01:40 spigrp
-rwxr-xr-x 1 root root 475538 Sep 17 01:40 starter
-rwxr-xr-x 1 root root 50198 Sep 17 01:40 tncfg
-rwxr-xr-x 1 root root 10195 Sep 17 01:40 verify
-rwxr-xr-x 1 root root 228071 Sep 17 01:40 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 1946922 15096 0 0 0 0 0 0
1946922 15096 0 0 0 0 0 0
eth0:3467961735 20406006 0 63 0 0 0 0
1350308777 38410921 170 0 0 6609649 169 0
br0:3140436124 20284885 0 0 0 0 0 0
1388848732 38970263 0 0 0 0 0 0
eth1:1754164667 15334537 8 0 0 0 0 0
2681509755 13354288 0 0 0 43396 0 0
ppp0:74594888 226487 0 0 0 0 0 0
36776498 196952 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ppp0 58E537CB 00000000 0005 0 0 0
FFFFFFFF0 0 0
br0 0001000A 00000000 0001 0 0 0
00FFFFFF0 0 0
ppp0 0002000A 41EFE5D2 0003 0 0 0
00FFFFFF0 0 0
br0 0000FEA9 00000000 0001 0 0 0
0000FFFF0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF0 0 0
ppp0 00000000 00000000 0001 0 0 0
000000000 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter br0/rp_filter default/rp_filter lo/rp_filter
ppp0/rp_filter
all/rp_filter:0
br0/rp_filter:1
default/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux amber 2.6.10-rc1 #7 Wed Nov 3 18:52:07 EST 2004 i686 athlon i386
GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 2 (Tettnang)
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.10-rc1) support detected '
native PFKEY (2.6.10-rc1) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 24 packets, 1456 bytes)
pkts bytes target prot opt in out source
destination
15088 1946K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
37358 2107K DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
97510 40M ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
6813K 757M br0_in all -- br0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:INPUT:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 48 bytes)
pkts bytes target prot opt in out source
destination
49406 2156K DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
2773K 136M TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
15M 5666M ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
13M 2374M br0_fwd all -- br0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_fwd all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:FORWARD:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
15088 1946K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
80 4160 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
104K 11M fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
24M 34G fw2loc all -- * br0 0.0.0.0/0
0.0.0.0/0
0 0 fw2imvpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:OUTPUT:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain @net2all (2 references)
pkts bytes target prot opt in out source
destination
731K 36M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/sec burst 40
2204 117K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (4 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
27859 4310K common all -- * * 0.0.0.0/0
0.0.0.0/0
1964 168K ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:all2all:REJECT:' queue_threshold 1
1964 168K reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain blacklst (2 references)
pkts bytes target prot opt in out source
destination
Chain br0_fwd (1 references)
pkts bytes target prot opt in out source
destination
1155K 57M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
13M 2374M loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * br0 0.0.0.0/0
0.0.0.0/0
0 0 loc2imvpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain br0_in (1 references)
pkts bytes target prot opt in out source
destination
46901 5828K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
6813K 757M loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source
destination
2714 187K icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
92 48700 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
16105 2510K reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
4 192 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
1 48 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
11566 1770K DROP all -- * * 0.0.0.0/0
10.0.1.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain fw2imvpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
24M 34G ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
27 27468 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.11 state NEW
27859 4310K all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
88544 10M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
210.229.239.65
0 0 ACCEPT ah -- * * 0.0.0.0/0
210.229.239.65
3 404 ACCEPT udp -- * * 0.0.0.0/0
210.229.239.65 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
4574 294K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
1347 113K ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
9528 572K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
Chain imvpn2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain imvpn2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 all2all all -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 imvpn2loc all -- * br0 0.0.0.0/0
0.0.0.0/0
Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 imvpn2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
6766K 752M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
121 7176 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
16 960 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
611 36438 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
46153 5783K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2imvpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
12M 2317M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
493 82544 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
1155K 57M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logdrop (58 references)
pkts bytes target prot opt in out source
destination
529K 26M ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:logdrop:DROP:' queue_threshold 1
529K 26M DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
6915 630K common all -- * * 0.0.0.0/0
0.0.0.0/0
5042 442K ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:net2all:DROP:' queue_threshold 1
5042 442K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
88102 39M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3797 205K @net2all tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02
1269 224K newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
2 272 ACCEPT esp -- * * 210.229.239.65
0.0.0.0/0
0 0 ACCEPT ah -- * * 210.229.239.65
0.0.0.0/0
0 0 ACCEPT udp -- * * 210.229.239.65
0.0.0.0/0 udp spt:500 dpt:500 state NEW
71 3796 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
1 60 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.1 state NEW tcp dpt:22
7 4716 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 8100,8041 state NEW
6915 630K net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
14M 5587M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
730K 36M @net2all tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02
928 195K newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
11 528 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 state NEW tcp dpt:4662
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 state NEW udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 state NEW tcp dpt:4762
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 state NEW udp dpt:4772
728K 36M ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 state NEW tcp dpt:4862
347K 17M ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 state NEW udp dpt:4872
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.60 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 state NEW tcp dpts:6881:6889
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.101 state NEW tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 state NEW udp dpt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 state NEW udp dpts:16384:16403
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (12 references)
pkts bytes target prot opt in out source
destination
2838 536K ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:newnotsyn:DROP:' queue_threshold 1
2838 536K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
1606K 79M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
1606K 79M blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
1606K 79M rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
15M 5640M net2loc all -- * br0 0.0.0.0/0
0.0.0.0/0
0 0 net2all all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
7607 815K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
7607 815K blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
7607 815K rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
97143 40M net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source
destination
6 300 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
17247 2658K REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
913 69374 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 255.255.255.255
0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 255.255.255.255
0 0 DROP all -- * * 169.254.0.0/16
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 169.254.0.0/16
0 0 logdrop all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 logdrop all -- * * 192.0.2.0/24
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.0.2.0/24
8 384 logdrop all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 0.0.0.0/7
0 0 logdrop all -- * * 2.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 2.0.0.0/8
0 0 logdrop all -- * * 5.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 5.0.0.0/8
0 0 logdrop all -- * * 7.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 7.0.0.0/8
0 0 logdrop all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
0 0 logdrop all -- * * 23.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 23.0.0.0/8
0 0 logdrop all -- * * 27.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 27.0.0.0/8
0 0 logdrop all -- * * 31.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 31.0.0.0/8
0 0 logdrop all -- * * 36.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 36.0.0.0/7
0 0 logdrop all -- * * 39.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 39.0.0.0/8
0 0 logdrop all -- * * 41.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 41.0.0.0/8
0 0 logdrop all -- * * 42.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 42.0.0.0/8
0 0 logdrop all -- * * 49.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 49.0.0.0/8
0 0 logdrop all -- * * 50.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 50.0.0.0/8
1812 88344 logdrop all -- * * 58.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 58.0.0.0/7
12466 608K logdrop all -- * * 70.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 70.0.0.0/7
0 0 logdrop all -- * * 72.0.0.0/5
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 72.0.0.0/5
319K 16M logdrop all -- * * 83.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 83.0.0.0/8
195K 9661K logdrop all -- * * 84.0.0.0/6
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 84.0.0.0/6
0 0 logdrop all -- * * 88.0.0.0/5
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 88.0.0.0/5
0 0 logdrop all -- * * 96.0.0.0/3
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 96.0.0.0/3
0 0 logdrop all -- * * 127.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 127.0.0.0/8
0 0 logdrop all -- * * 197.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 197.0.0.0/8
0 0 logdrop all -- * * 198.18.0.0/15
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 198.18.0.0/15
0 0 logdrop all -- * * 223.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 223.0.0.0/8
0 0 logdrop all -- * * 240.0.0.0/4
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 240.0.0.0/4
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 790K packets, 44M bytes)
pkts bytes target prot opt in out source
destination
1613K 80M net_dnat all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 1090K packets, 54M bytes)
pkts bytes target prot opt in out source
destination
743K 38M ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
11 528 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 to:10.0.1.20
43 2064 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 to:10.0.1.20
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4762 to:10.0.1.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4772 to:10.0.1.20
1253K 62M DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 to:10.0.1.20
353K 17M DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 to:10.0.1.20
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:888 to:10.0.1.60:80
2 120 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 to:10.0.1.1:22
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:6881:6889 to:10.0.1.20
5 300 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8888 to:10.0.1.101:80
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 to:10.0.1.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:16384:16403 to:10.0.1.20
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
729K 37M MASQUERADE all -- * * 10.0.1.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16
0.0.0.0/0
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 35M packets, 8845M bytes)
pkts bytes target prot opt in out source
destination
35M 8845M pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 6963K packets, 802M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 28M packets, 8043M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 11M packets, 34G bytes)
pkts bytes target prot opt in out source
destination
11M 34G outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 52M packets, 42G bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
35991 9628K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
856 55094 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
57507 4523K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
4808 1410K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
1517 98211 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
2025 187K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
122 8853 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
135 8778 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
msp3400 26424 0 - Live 0xe0d1a000
saa7115 11224 0 - Live 0xe0d0d000
tuner 19300 0 - Live 0xe0cf7000
tveeprom 10804 0 - Live 0xe0d04000
ivtv 802244 0 - Live 0xe0d2f000
dvb_bt8xx 7236 5 - Live 0xe0a74000
dvb_core 74736 6 dvb_bt8xx, Live 0xe0ab9000
mt352 4996 1 dvb_bt8xx, Live 0xe0a71000
sp887x 7428 1 dvb_bt8xx, Live 0xe0a54000
dst 12040 1 dvb_bt8xx, Live 0xe0a50000
bt878 8696 2 dvb_bt8xx,dst, Live 0xe0a47000
bttv 145488 2 dvb_bt8xx,bt878, Live 0xe0a94000
video_buf 16964 1 bttv, Live 0xe0a41000
firmware_class 7616 3 dvb_bt8xx,sp887x,bttv, Live 0xe0a24000
i2c_algo_bit 8328 2 ivtv,bttv, Live 0xe0a20000
v4l2_common 4864 1 bttv, Live 0xe0a05000
btcx_risc 3720 1 bttv, Live 0xe0a03000
i2c_core 19216 10
msp3400,saa7115,tuner,tveeprom,dvb_bt8xx,mt352,sp887x,dst,bttv,i2c_algo_
bit, Live 0xe0a1a000
videodev 7232 2 ivtv,bttv, Live 0xe09e8000
v4l1_compat 12932 0 - Live 0xe0a15000
nfsd 100616 9 - Live 0xe0a57000
exportfs 4928 1 nfsd, Live 0xe09e5000
lockd 64168 2 nfsd, Live 0xe0a29000
deflate 2688 0 - Live 0xe0929000
zlib_deflate 21080 1 deflate, Live 0xe09fc000
twofish 37120 0 - Live 0xe0a0a000
serpent 13248 0 - Live 0xe09f7000
aes_i586 38452 0 - Live 0xe09ec000
blowfish 8000 0 - Live 0xe09e2000
des 11264 2 - Live 0xe09d2000
sha256 8960 0 - Live 0xe09da000
sha1 8512 0 - Live 0xe09d6000
md5 3648 2 - Live 0xe08fa000
crypto_null 1984 0 - Live 0xe0927000
ipcomp 6472 0 - Live 0xe09c7000
esp4 6720 2 - Live 0xe09c4000
ah4 5312 0 - Live 0xe09c1000
af_key 27024 0 - Live 0xe09ca000
ipt_TOS 1984 12 - Live 0xe09b2000
ipt_MASQUERADE 2880 2 - Live 0xe09ac000
ipt_limit 1920 1 - Live 0xe09a0000
ipt_REJECT 5632 4 - Live 0xe09af000
ipt_ULOG 6244 7 - Live 0xe09a9000
ipt_TCPMSS 3520 1 - Live 0xe09a2000
ipt_state 1472 63 - Live 0xe09a4000
ip_nat_irc 3504 0 - Live 0xe099e000
ip_nat_tftp 2992 0 - Live 0xe099c000
ip_nat_ftp 4144 0 - Live 0xe0999000
ip_conntrack_irc 70512 1 ip_nat_irc, Live 0xe0986000
ip_conntrack_tftp 3056 0 - Live 0xe096c000
ip_conntrack_ftp 71408 1 ip_nat_ftp, Live 0xe0973000
ipt_multiport 1664 1 - Live 0xe0971000
ipt_conntrack 1984 31 - Live 0xe096f000
iptable_filter 2176 1 - Live 0xe08fc000
iptable_mangle 2176 1 - Live 0xe08f0000
iptable_nat 21960 5 ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,
Live 0xe0912000
ip_conntrack 39732 10
ipt_MASQUERADE,ipt_state,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,ip_conntrack_
irc,ip_conntrack_tftp,ip_conntrack_ftp,ipt_conntrack,iptable_nat, Live
0xe092b000
ip_tables 16000 12
ipt_TOS,ipt_MASQUERADE,ipt_limit,ipt_REJECT,ipt_ULOG,ipt_TCPMSS,ipt_stat
e,ipt_multiport,ipt_conntrack,iptable_filter,iptable_mangle,iptable_nat,
Live 0xe0919000
sunrpc 132388 13 nfsd,lockd, Live 0xe0936000
ppp_synctty 7936 0 - Live 0xe090f000
ppp_async 9024 1 - Live 0xe08fe000
crc_ccitt 1664 1 ppp_async, Live 0xe08f2000
ppp_generic 21524 6 ppp_synctty,ppp_async, Live 0xe0908000
slhc 7232 1 ppp_generic, Live 0xe0820000
8139too 20032 0 - Live 0xe0902000
via_rhine 18308 0 - Live 0xe08f4000
mii 3904 2 8139too,via_rhine, Live 0xe084f000
crc32 3840 3 dvb_core,8139too,via_rhine, Live 0xe0823000
usblp 10816 0 - Live 0xe083a000
uhci_hcd 29712 0 - Live 0xe0844000
ehci_hcd 26052 0 - Live 0xe0832000
usbcore 102296 4 usblp,uhci_hcd,ehci_hcd, Live 0xe0851000
thermal 10568 0 - Live 0xe0804000
sata_via 4484 6 - Live 0xe081a000
libata 38916 1 sata_via, Live 0xe0827000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 515828 kB
MemFree: 1980 kB
Buffers: 31868 kB
Cached: 304520 kB
SwapCached: 1572 kB
Active: 186924 kB
Inactive: 288692 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515828 kB
LowFree: 1980 kB
SwapTotal: 1052216 kB
SwapFree: 1039436 kB
Dirty: 456 kB
Writeback: 0 kB
Mapped: 166696 kB
Slab: 26940 kB
CommitLimit: 1310128 kB
Committed_AS: 529216 kB
CommitAvail: 780912 kB
PageTables: 1776 kB
VmallocTotal: 516056 kB
VmallocUsed: 24328 kB
VmallocChunk: 491128 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.10-rc1/build/.config
++ uname -r
+ cat /lib/modules/2.6.10-rc1/build/.config
+ egrep
'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
# CONFIG_NETLINK_DEV is not set
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
# CONFIG_IP_NF_MATCH_IPRANGE is not set
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
# CONFIG_IP_NF_TARGET_NETMAP is not set
# CONFIG_IP_NF_TARGET_SAME is not set
# CONFIG_IP_NF_NAT_LOCAL is not set
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
# CONFIG_IP_NF_TARGET_CLASSIFY is not set
# CONFIG_IP_NF_RAW is not set
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_COMPAT_IPFWADM=m
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 203.0.178.191
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 528
drwxr-xr-x 4 root root 4096 Oct 28 17:58 2.6.5-1.358
-rw-r--r-- 1 root root 262144 Oct 29 22:36 ivtv-fw-enc.bin
-rw-r--r-- 1 root root 262144 Oct 29 22:36 ivtv-fw-dec.bin
drwxr-xr-x 6 root root 4096 Nov 5 17:42 2.6.10-rc1
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02c4d90 T netif_rx
c02c4f30 T netif_rx_ni
c02c4d90 U netif_rx [dvb_core]
c02c4d90 U netif_rx [ppp_generic]
c02c4d90 U netif_rx [via_rhine]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.10-rc1:
2.6.5-1.358:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '5453194,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Nov 11 21:12:06 amber ipsec_setup: Starting Openswan IPsec
U2.2.0/K2.6.10-rc1...
+ _________________________ plog
+ sed -n '145,$p' /var/log/secure
+ cat
+ egrep -i pluto
Nov 11 21:12:06 amber ipsec__plutorun: Starting Pluto subsystem...
Nov 11 21:12:06 amber pluto[3574]: Starting Pluto (Openswan Version
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Nov 11 21:12:06 amber pluto[3574]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Nov 11 21:12:06 amber pluto[3574]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Nov 11 21:12:06 amber pluto[3574]: Using Linux 2.6 IPsec interface code
Nov 11 21:12:06 amber pluto[3574]: Changing to directory
'/etc/ipsec.d/cacerts'
Nov 11 21:12:06 amber pluto[3574]: Could not change to directory
'/etc/ipsec.d/aacerts'
Nov 11 21:12:06 amber pluto[3574]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Nov 11 21:12:06 amber pluto[3574]: Changing to directory
'/etc/ipsec.d/crls'
Nov 11 21:12:06 amber pluto[3574]: Warning: empty directory
Nov 11 21:12:06 amber pluto[3574]: added connection description
"Tir-Na-Nogth-IM"
Nov 11 21:12:06 amber pluto[3574]: listening for IKE messages
Nov 11 21:12:06 amber pluto[3574]: adding interface ppp0/ppp0
203.217.34.219
Nov 11 21:12:06 amber pluto[3574]: adding interface br0/br0 10.0.1.1
Nov 11 21:12:06 amber pluto[3574]: adding interface lo/lo 127.0.0.1
Nov 11 21:12:06 amber pluto[3574]: loading secrets from
"/etc/ipsec.secrets"
Nov 11 21:12:28 amber pluto[3574]: "Tir-Na-Nogth-IM" #1: initiating
Main Mode
Nov 11 21:12:29 amber pluto[3574]: "Tir-Na-Nogth-IM" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 11 21:12:29 amber pluto[3574]: "Tir-Na-Nogth-IM" #1: I did not send
a certificate because I do not have one.
Nov 11 21:12:29 amber pluto[3574]: "Tir-Na-Nogth-IM" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #1: Peer ID is
ID_FQDN: '@edo.insentiv.co.jp'
Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #1: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #1: ISAKMP SA
established
Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #2: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #2: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 11 21:12:30 amber pluto[3574]: "Tir-Na-Nogth-IM" #2: sent QI2,
IPsec SA established {ESP=>0xa57ee5b0 <0x01106a70}
+ _________________________ date
+ date
Thu Nov 11 21:12:55 EST 2004
edo
Thu Nov 11 19:12:43 JST 2004
+ _________________________ version
+ ipsec --version
Linux FreeS/WAN 2.04
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.22-1.2115.nptl (bhcompile at daffy.perf.redhat.com) (gcc
version 3.2.3 20030422 (Red Hat Linux 3.2.3-6)) #1 Wed Oct 29 15:20:17
EST 2003
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux FreeS/WAN 2.04
Checking for KLIPS support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking tun0x1002 at 203.217.34.219 from 10.0.2.0/24 to 10.0.1.0/24
[FAILED]
ppp0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 ->
10.0.1.0/24
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: edo
[MISSING]
Does the machine have at least one non-private address?
[FAILED]
+ _________________________ proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0 10.0.2.0/24 -> 10.0.1.0/24 =>
tun0x1002 at 203.217.34.219
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
154.33.4.102 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
154.33.4.102 0.0.0.0 255.255.255.255 UH 0 0
0 ipsec0
10.0.1.0 154.33.4.102 255.255.255.0 UG 0 0
0 ipsec0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 154.33.4.102 0.0.0.0 UG 0 0
0 ppp0
+ _________________________ proc/net/ipsec_spi
+ cat /proc/net/ipsec_spi
esp0xa57ee5b0 at 210.229.239.65 ESP_3DES_HMAC_MD5: dir=in
src=203.217.34.219 iv_bits=64bits iv=0x4a4ee5986c581c68 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(20,0,0) refcount=4
ref=8
tun0x1002 at 203.217.34.219 IPIP: dir=out src=210.229.239.65
life(c,s,h)=addtime(19,0,0) refcount=4 ref=12
esp0x1106a70 at 203.217.34.219 ESP_3DES_HMAC_MD5: dir=out
src=210.229.239.65 iv_bits=64bits iv=0x88aefa6d784ce7d1 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(19,0,0) refcount=4
ref=13
tun0x1001 at 210.229.239.65 IPIP: dir=in src=203.217.34.219
policy=10.0.1.0/24->10.0.2.0/24 flags=0x8<> life(c,s,h)=addtime(20,0,0)
refcount=4 ref=7
+ _________________________ proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1002 at 203.217.34.219 esp0x1106a70 at 203.217.34.219
tun0x1001 at 210.229.239.65 esp0xa57ee5b0 at 210.229.239.65
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1454) -> 1454
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pf_key
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type
St
c8cf0ae0 13131 c83586c0 0 0 0 0 2 65535 00000000 3
1
+ _________________________ proc/net/pf_key-star
+ cd /proc/net
+ egrep '^' pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c83586c0 13131 c8cf0ae0
pf_key_registered: 3 c83586c0 13131 c8cf0ae0
pf_key_registered: 9 c83586c0 13131 c8cf0ae0
pf_key_registered: 10 c83586c0 13131 c8cf0ae0
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________ proc/sys/net/ipsec-star
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check pfkey_lossage tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
pfkey_lossage:0
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/ppp0 210.229.239.65
000 %myid = (none)
000 debug none
000
000 "Tir-Na-Nogth-IM":
10.0.2.0/24===210.229.239.65[@edo.insentiv.co.jp]--
-154.33.4.102...%any[@amber.tir-na-nogth.net]===10.0.1.0/24; unrouted;
eroute owner: #0
000 "Tir-Na-Nogth-IM": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "Tir-Na-Nogth-IM": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio:
24,24; interface: ppp0;
000 "Tir-Na-Nogth-IM": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "Tir-Na-Nogth-IM"[1]:
10.0.2.0/24===210.229.239.65[@edo.insentiv.co.jp]--
-154.33.4.102...203.217.34.219[@amber.tir-na-nogth.net]===10.0.1.0/24;
erouted; eroute owner: #2
000 "Tir-Na-Nogth-IM"[1]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "Tir-Na-Nogth-IM"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio:
24,24; interface: ppp0;
000 "Tir-Na-Nogth-IM"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000
000 #2: "Tir-Na-Nogth-IM"[1] 203.217.34.219 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 28510s; newest IPSEC; eroute owner
000 #2: "Tir-Na-Nogth-IM"[1] 203.217.34.219 esp.1106a70 at 203.217.34.219
esp.a57ee5b0 at 210.229.239.65 tun.1002 at 203.217.34.219
tun.1001 at 210.229.239.65
000 #1: "Tir-Na-Nogth-IM"[1] 203.217.34.219 STATE_MAIN_R3 (sent MR3,
ISAKMP SA established); EVENT_SA_REPLACE in 3309s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:00:F4:60:9B:31
inet addr:10.0.2.1 Bcast:10.0.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:831143 errors:0 dropped:0 overruns:0 frame:0
TX packets:1183629 errors:3 dropped:0 overruns:3 carrier:0
collisions:0 txqueuelen:1000
RX bytes:414966367 (395.7 Mb) TX bytes:1141797835 (1088.9 Mb)
Interrupt:11 Base address:0xd000
eth1 Link encap:Ethernet HWaddr 00:90:CC:51:B9:77
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1178453 errors:0 dropped:0 overruns:0 frame:0
TX packets:915860 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1126683990 (1074.4 Mb) TX bytes:419722563 (400.2 Mb)
Interrupt:10 Base address:0x5000
ipsec0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.65 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1937072 errors:0 dropped:0 overruns:0 frame:0
TX packets:1937072 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:139778608 (133.3 Mb) TX bytes:139778608 (133.3 Mb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.65 P-t-P:154.33.4.102
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:1170965 errors:0 dropped:0 overruns:0 frame:0
TX packets:909723 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1099011415 (1048.0 Mb) TX bytes:399523685 (381.0 Mb)
ppp0:0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.99 P-t-P:210.229.239.99
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0:1 Link encap:Point-to-Point Protocol
inet addr:210.229.239.98 P-t-P:210.229.239.98
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0:2 Link encap:Point-to-Point Protocol
inet addr:210.229.239.102 P-t-P:210.229.239.102
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
product info: Davicom DM9101 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:07:49, model 1 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
edo
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
19:12:48 up 1 day, 9:02, 1 user, load average: 0.56, 0.25, 0.13
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 13232 12829 18 0 5116 936 wait4 S pts/1 0:00
\_ /bin/sh /usr/local/libexec/ipsec/barf
0 0 13306 13232 18 0 2492 392 pipe_w S pts/1 0:00
\_ egrep -i ppid|pluto|ipsec|klips
1 0 13129 1 22 0 3644 984 wait4 S pts/1 0:00
/bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes
--dump --opts --stderrlog --wait no --pre --post --log
daemon.error --pid /var/run/pluto.pid
1 0 13130 13129 22 0 3644 992 wait4 S pts/1 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutorun --debug none --uniqueids yes
--dump --opts --stderrlog --wait no --pre --post --log
daemon.error --pid /var/run/pluto.pid
4 0 13131 13130 17 0 2468 948 schedu S pts/1 0:00 |
\_ /usr/local/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --policygroupsdir /etc/ipsec.d/policies --debug-none
--uniqueids
0 0 13139 13131 18 0 1348 240 schedu S pts/1 0:00 |
\_ _pluto_adns
0 0 13132 13129 15 0 3260 984 pipe_w S pts/1 0:00 \_
/bin/sh /usr/local/lib/ipsec/_plutoload --wait no --post
0 0 13133 1 18 0 2392 292 pipe_w S pts/1 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# edo.isentiv.co.jp
#
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
forwardcontrol=yes
uniqueids=yes
# Standard server security definition (left)
conn %default
# Allow only 1 try since we are the passive end
keyingtries=1
#
# Security gateway - left
left=210.229.239.65
leftsubnet=10.0.2.0/24
leftnexthop=154.33.4.102
leftupdown=/usr/local/lib/ipsec/_updown_imgfx
#
# Add but don't start connection on startup
auto=add
#
# RSA authentication
authby=rsasig
leftid=@edo.insentiv.co.jp
leftrsasigkey=[keyid AQOrd0max]
# Load client (right) definitions from subdirectory
#< /etc/ipsec.d/remote.tir-na-nogth.conn 1
# /etc/ipsec.d/remote.tir-na-nogth.conn - FreeS/WAN IPsec remote
connection file
# Connection from Tir-Na-Nog'th gateway
conn Tir-Na-Nogth-IM
# Right - Tir-Na-Nog'th security gateway
right=0.0.0.0
rightsubnet=10.0.1.0/24
rightnexthop=
rightid=@amber.tir-na-nogth.net
rightrsasigkey=[keyid AQN/IxlHw]
#> /etc/ipsec.conf 37
#
# Disable opportunistic encryption
#
#< /etc/ipsec.d/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 42
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec.secrets
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits edo.insentiv.co.jp Fri Jan 30 20:14:18 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOrd0max]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/local/share/doc/freeswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/local/lib/ipsec
total 192
-rwxr-xr-x 1 root root 14890 Nov 12 2003 _confread
-rwxr-xr-x 1 root root 44116 Nov 12 2003 _copyright
-rwxr-xr-x 1 root root 2379 Nov 12 2003 _include
-rwxr-xr-x 1 root root 1475 Nov 12 2003 _keycensor
-rwxr-xr-x 1 root root 64682 Nov 12 2003 _pluto_adns
-rwxr-xr-x 1 root root 3586 Nov 12 2003 _plutoload
-rwxr-xr-x 1 root root 5165 Nov 12 2003 _plutorun
-rwxr-xr-x 1 root root 9719 Nov 12 2003 _realsetup
-rwxr-xr-x 1 root root 1975 Nov 12 2003 _secretcensor
-rwxr-xr-x 1 root root 8076 Nov 12 2003 _startklips
-rwxr-xr-x 1 root root 7959 Feb 4 2004 _updown
-rwxr-xr-x 1 root root 6982 Feb 4 2004 _updown_imgfx
-rwxr-xr-x 1 root root 1942 Nov 12 2003
ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/local/libexec/ipsec
total 2924
-rwxr-xr-x 1 root root 12195 Nov 12 2003 auto
-rwxr-xr-x 1 root root 8591 Nov 12 2003 barf
-rwxr-xr-x 1 root root 816 Nov 12 2003 calcgoo
-rwxr-xr-x 1 root root 306234 Nov 12 2003 eroute
-rwxr-xr-x 1 root root 174875 Nov 12 2003 klipsdebug
-rwxr-xr-x 1 root root 2449 Nov 12 2003 look
-rwxr-xr-x 1 root root 7130 Nov 12 2003 mailkey
-rwxr-xr-x 1 root root 16188 Nov 12 2003 manual
-rwxr-xr-x 1 root root 1874 Nov 12 2003 newhostkey
-rwxr-xr-x 1 root root 143342 Nov 12 2003 pf_key
-rwxr-xr-x 1 root root 1270559 Nov 12 2003 pluto
-rwxr-xr-x 1 root root 49086 Nov 12 2003 ranbits
-rwxr-xr-x 1 root root 79064 Nov 12 2003 rsasigkey
-rwxr-xr-x 1 root root 17602 Nov 12 2003 send-pr
lrwxrwxrwx 1 root root 22 Jan 30 2004 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Nov 12 2003 showdefaults
-rwxr-xr-x 1 root root 4321 Nov 12 2003 showhostkey
-rwxr-xr-x 1 root root 316466 Nov 12 2003 spi
-rwxr-xr-x 1 root root 248567 Nov 12 2003 spigrp
-rwxr-xr-x 1 root root 47342 Nov 12 2003 tncfg
-rwxr-xr-x 1 root root 9292 Nov 12 2003 verify
-rwxr-xr-x 1 root root 203766 Nov 12 2003 whack
+ _________________________ ipsec/updowns
++ ls /usr/local/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo:139778608 1937072 0 0 0 0 0 0
139778608 1937072 0 0 0 0 0 0
eth0:414966962 831146 0 0 0 0 0 0
1141798214 1183631 3 0 3 0 0 0
eth1:1126685347 1178468 0 0 0 0 0 0
419747736 915880 0 0 0 0 0 0
ppp0:1099012442 1170980 0 0 0 0 0 0
399548418 909743 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ppp0 6604219A 00000000 0005 0 0 0
FFFFFFFF0 0 0
ipsec0 6604219A 00000000 0005 0 0 0
FFFFFFFF0 0 0
ipsec0 0001000A 6604219A 0003 0 0 0
00FFFFFF0 0 0
eth0 0002000A 00000000 0001 0 0 0
00FFFFFF0 0 0
eth0 0000FEA9 00000000 0001 0 0 0
0000FFFF0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF0 0 0
ppp0 00000000 6604219A 0003 0 0 0
000000000 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux edo 2.4.22-1.2115.nptl #1 Wed Oct 29 15:20:17 EST 2003 i586 i586
i386 GNU/Linux
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 1 (Yarrow)
+ _________________________ proc/net/ipsec_version
+ cat /proc/net/ipsec_version
FreeS/WAN version: 2.04
+ _________________________ iptables/list
+ iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1937K 140M ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
404K 414M ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
308K 41M eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
56532 2845K TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
767K 685M ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
515K 361M eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
2 168 ipsec0_fwd all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
43895 2288K common all -- * * 0.0.0.0/0
0.0.0.0/0
12032 745K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:'
12032 745K reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1937K 140M ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
395K 40M fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
458K 442M fw2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
20 1680 fw2vpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
24 2900 common all -- * * 0.0.0.0/0
0.0.0.0/0
24 2900 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:'
24 2900 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain blacklst (2 references)
pkts bytes target prot opt in out source
destination
Chain common (5 references)
pkts bytes target prot opt in out source
destination
686 40791 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
396 30888 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
4758 228K reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
14245 685K reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
14618 704K reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
9 528 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
5 256 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
10.0.2.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
4887 298K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
515K 361M loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
2 168 loc2vpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
69040 5776K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
308K 41M loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
458K 442M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
21 31452 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
5 420 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
4 1220 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
374K 39M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3 156 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
402 26089 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
20435 1226K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
20 1680 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source
destination
2 168 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 all2all all -- * ppp0 0.0.0.0/0
0.0.0.0/0
2 168 vpn2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 vpn2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
239K 35M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
1 60 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
69039 5776K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
510K 360M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
4887 298K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source
destination
2 168 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logdrop (58 references)
pkts bytes target prot opt in out source
destination
672 34814 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
672 34814 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
2706 141K common all -- * * 0.0.0.0/0
0.0.0.0/0
538 36100 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
538 36100 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
401K 413M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
91 3877 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
1 136 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
2 300 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
33 1756 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
2 120 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.1 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
2706 141K net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
722K 683M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
10 528 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.61 multiport dports 80,21 state NEW ctorigdst
210.229.239.99
3 180 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.62 state NEW tcp dpt:80 ctorigdst 210.229.239.102
9 480 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,81,443 state NEW ctorigdst
210.229.239.98
7 372 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,443 state NEW ctorigdst
210.229.239.100
7 372 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,443 state NEW ctorigdst
210.229.239.101
1 60 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 state NEW tcp dpt:21 ctorigdst 210.229.239.101
5 300 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 state NEW tcp dpt:22 ctorigdst 210.229.239.98
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.2.20 state NEW udp dpt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.2.20 state NEW udp dpts:16384:16403
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (12 references)
pkts bytes target prot opt in out source
destination
115 35485 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:newnotsyn:DROP:'
115 35485 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
44453 2312K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
44453 2312K blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
44453 2312K rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
722K 683M net2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 net2all all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
2865 149K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
2865 149K blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
2865 149K rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
404K 414M net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source
destination
44500 2142K REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
904 213K REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
678 40211 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 255.255.255.255
0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 255.255.255.255
0 0 DROP all -- * * 169.254.0.0/16
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 169.254.0.0/16
27 1296 logdrop all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 logdrop all -- * * 192.0.2.0/24
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.0.2.0/24
29 1766 logdrop all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 0.0.0.0/7
0 0 logdrop all -- * * 2.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 2.0.0.0/8
0 0 logdrop all -- * * 5.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 5.0.0.0/8
0 0 logdrop all -- * * 7.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 7.0.0.0/8
0 0 logdrop all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
0 0 logdrop all -- * * 23.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 23.0.0.0/8
0 0 logdrop all -- * * 27.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 27.0.0.0/8
0 0 logdrop all -- * * 31.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 31.0.0.0/8
0 0 logdrop all -- * * 36.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 36.0.0.0/7
0 0 logdrop all -- * * 39.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 39.0.0.0/8
0 0 logdrop all -- * * 41.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 41.0.0.0/8
0 0 logdrop all -- * * 42.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 42.0.0.0/8
0 0 logdrop all -- * * 49.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 49.0.0.0/8
0 0 logdrop all -- * * 50.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 50.0.0.0/8
18 864 logdrop all -- * * 58.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 58.0.0.0/7
30 1616 logdrop all -- * * 70.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 70.0.0.0/7
0 0 logdrop all -- * * 72.0.0.0/5
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 72.0.0.0/5
455 23336 logdrop all -- * * 83.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 83.0.0.0/8
113 5936 logdrop all -- * * 84.0.0.0/6
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 84.0.0.0/6
0 0 logdrop all -- * * 88.0.0.0/5
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 88.0.0.0/5
0 0 logdrop all -- * * 96.0.0.0/3
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 96.0.0.0/3
0 0 logdrop all -- * * 127.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 127.0.0.0/8
0 0 logdrop all -- * * 197.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 197.0.0.0/8
0 0 logdrop all -- * * 198.18.0.0/15
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 198.18.0.0/15
0 0 logdrop all -- * * 223.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 223.0.0.0/8
0 0 logdrop all -- * * 240.0.0.0/4
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 240.0.0.0/4
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
2 168 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
+ _________________________ ipchains/list
+ ipchains -L -v -n
/usr/local/libexec/ipsec/barf: line 236: ipchains: command not found
+ _________________________ ipfwadm/forward
+ ipfwadm -F -l -n -e
/usr/local/libexec/ipsec/barf: line 238: ipfwadm: command not found
+ _________________________ ipfwadm/input
+ ipfwadm -I -l -n -e
/usr/local/libexec/ipsec/barf: line 240: ipfwadm: command not found
+ _________________________ ipfwadm/output
+ ipfwadm -O -l -n -e
/usr/local/libexec/ipsec/barf: line 242: ipfwadm: command not found
+ _________________________ iptables/nat
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 83400 packets, 5695K bytes)
pkts bytes target prot opt in out source
destination
47318 2460K net_dnat all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
29151 1747K REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain POSTROUTING (policy ACCEPT 64992 packets, 3014K bytes)
pkts bytes target prot opt in out source
destination
69486 3284K ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 20561 packets, 1269K bytes)
pkts bytes target prot opt in out source
destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
2 120 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 LOG flags 0 level 5 prefix
`Shorewall:net_dnat:DNAT:'
2 120 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 to:10.0.2.1:22
10 528 DNAT tcp -- * * 0.0.0.0/0
210.229.239.99 multiport dports 80,21 to:10.0.2.61
3 180 DNAT tcp -- * * 0.0.0.0/0
210.229.239.102 tcp dpt:80 to:10.0.2.62
9 480 DNAT tcp -- * * 0.0.0.0/0
210.229.239.98 multiport dports 80,81,443 to:10.0.2.60
7 372 DNAT tcp -- * * 0.0.0.0/0
210.229.239.100 multiport dports 80,443 to:10.0.2.60
7 372 DNAT tcp -- * * 0.0.0.0/0
210.229.239.101 multiport dports 80,443 to:10.0.2.60
1 60 DNAT tcp -- * * 0.0.0.0/0
210.229.239.101 tcp dpt:21 to:10.0.2.60
5 300 DNAT tcp -- * * 0.0.0.0/0
210.229.239.98 tcp dpt:223 to:10.0.2.60:22
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 to:10.0.2.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:16384:16403 to:10.0.2.20
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
4715 285K MASQUERADE all -- * * 10.0.2.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16
0.0.0.0/0
+ _________________________ ipchains/masq
+ ipchains -M -L -v -n
/usr/local/libexec/ipsec/barf: line 246: ipchains: command not found
+ _________________________ ipfwadm/masq
+ ipfwadm -M -l -n -e
/usr/local/libexec/ipsec/barf: line 248: ipfwadm: command not found
+ _________________________ iptables/mangle
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 3932K packets, 1640M bytes)
pkts bytes target prot opt in out source
destination
3932K 1640M pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 2650K packets, 594M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 1282K packets, 1046M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 2790K packets, 622M bytes)
pkts bytes target prot opt in out source
destination
2790K 622M outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 4028K packets, 1665M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
438 89015 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
57 2280 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4662 TOS set 0x08
3 120 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4672 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4862 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4872 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
212 15172 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
1852 587K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
12274 781K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
11755 1010K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
35263 43M TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
11545 5384K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
3 144 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4662 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4672 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4862 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4872 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 TOS set 0x08
+ _________________________ proc/modules
+ cat /proc/modules
ipsec 265408 2
autofs 12276 0 (autoclean) (unused)
ipt_REDIRECT 1304 1 (autoclean)
ipt_TOS 1560 28 (autoclean)
ipt_MASQUERADE 2200 2 (autoclean)
ipt_REJECT 3992 4 (autoclean)
ipt_LOG 4152 8 (autoclean)
ipt_TCPMSS 2968 1 (autoclean)
ipt_state 1048 58 (autoclean)
ip_nat_irc 2896 0 (unused)
ip_nat_tftp 2608 0 (unused)
ip_nat_ftp 3536 0 (unused)
ip_conntrack_irc 4048 1
ip_conntrack_tftp 2544 1
ip_conntrack_ftp 4976 1
ipt_multiport 1144 8 (autoclean)
ipt_conntrack 1592 38 (autoclean)
iptable_filter 2348 1 (autoclean)
iptable_mangle 2712 1 (autoclean)
iptable_nat 20568 4 (autoclean) [ipt_REDIRECT
ipt_MASQUERADE ip_nat_irc ip_nat_tftp ip_nat_ftp]
ip_conntrack 28072 6 (autoclean) [ipt_REDIRECT
ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp
ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack
iptable_nat]
ip_tables 15104 14 [ipt_REDIRECT ipt_TOS ipt_MASQUERADE
ipt_REJECT ipt_LOG ipt_TCPMSS ipt_state ipt_multiport ipt_conntrack
iptable_filter iptable_mangle iptable_nat]
ppp_synctty 7392 0 (unused)
ppp_async 9088 1
ppp_generic 23708 3 [ppp_synctty ppp_async]
slhc 6596 0 [ppp_generic]
tulip 42144 1 (autoclean)
via-rhine 14384 1
mii 3736 0 [via-rhine]
loop 11640 0 (autoclean)
lvm-mod 61792 3
keybdev 2752 0 (unused)
mousedev 5236 0 (unused)
hid 23236 0 (unused)
input 5664 0 [keybdev mousedev hid]
usb-ohci 20456 0 (unused)
usbcore 73344 1 [hid usb-ohci]
ext3 65060 4
jbd 48244 4 [ext3]
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 191569920 186232832 5337088 0 74149888 63279104
Swap: 394805248 4685824 390119424
MemTotal: 187080 kB
MemFree: 5212 kB
MemShared: 0 kB
Buffers: 72412 kB
Cached: 60552 kB
SwapCached: 1244 kB
Active: 71104 kB
Inactive: 85476 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 187080 kB
LowFree: 5212 kB
SwapTotal: 385552 kB
SwapFree: 380976 kB
+ _________________________ dev/ipsec-ls
+ ls -l '/dev/ipsec*'
ls: /dev/ipsec*: No such file or directory
+ _________________________ proc/net/ipsec-ls
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Nov 11 19:12
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Nov 11 19:12
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Nov 11 19:12
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Nov 11 19:12
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Nov 11 19:12
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Nov 11 19:12
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /usr/src/linux/.config
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# MADE-BY-RP-PPPOE
nameserver 154.33.63.214
nameserver 154.33.63.210
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 4
drwxr-xr-x 4 root root 4096 Jan 26 2004
2.4.22-1.2115.nptl
+ _________________________ proc/ksyms-netif_rx
+ egrep netif_rx /proc/ksyms
c01fb250 netif_rx_R07a1a075
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.22-1.2115.nptl: U netif_rx_R07a1a075
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ egrep -i 'ipsec|klips|pluto'
+ sed -n '70958,$p' /var/log/messages
+ cat
Nov 11 19:12:00 edo ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Nov 11 19:12:02 edo ipsec_setup: Using
/lib/modules/2.4.22-1.2115.nptl/kernel/net/ipsec/ipsec.o
Nov 11 19:12:02 edo kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.04
Nov 11 19:12:03 edo ipsec_setup: KLIPS debug `none'
Nov 11 19:12:03 edo ipsec_setup: KLIPS ipsec0 on ppp0
210.229.239.65/255.255.255.255 pointopoint 154.33.4.102
Nov 11 19:12:04 edo ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________ plog
+ sed -n '54,$p' /var/log/secure
+ egrep -i pluto
+ cat
Nov 11 19:12:04 edo ipsec__plutorun: Starting Pluto subsystem...
Nov 11 19:12:04 edo pluto[13131]: Starting Pluto (FreeS/WAN Version
2.04 PLUTO_USES_KEYRR)
Nov 11 19:12:04 edo pluto[13131]: Using KLIPS IPsec interface code
Nov 11 19:12:05 edo pluto[13131]: added connection description
"Tir-Na-Nogth-IM"
Nov 11 19:12:05 edo pluto[13131]: listening for IKE messages
Nov 11 19:12:05 edo pluto[13131]: adding interface ipsec0/ppp0
210.229.239.65
Nov 11 19:12:05 edo pluto[13131]: loading secrets from
"/etc/ipsec.secrets"
Nov 11 19:12:25 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219
#1: responding to Main Mode from unknown peer 203.217.34.219
Nov 11 19:12:25 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219
#1: sent MR3, ISAKMP SA established
Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219
#2: responding to Quick Mode
Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219
#2: up-client output: /usr/local/lib/ipsec/_updown_imgfx
Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219
#2: prepare-client output: /usr/local/lib/ipsec/_updown_imgfx
Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219
#2: route-client output: /usr/local/lib/ipsec/_updown_imgfx
Nov 11 19:12:26 edo pluto[13131]: "Tir-Na-Nogth-IM"[1] 203.217.34.219
#2: IPsec SA established {ESP=>0x01106a70 <0xa57ee5b0}
+ _________________________ date
+ date
Thu Nov 11 19:12:53 JST 2004
More information about the Users
mailing list