From owner-svn-doc-head@FreeBSD.ORG Sat Jul 13 03:51:23 2013 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3B1ABF62; Sat, 13 Jul 2013 03:51:23 +0000 (UTC) (envelope-from wblock@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 1C8A81EE7; Sat, 13 Jul 2013 03:51:23 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r6D3pNOT069094; Sat, 13 Jul 2013 03:51:23 GMT (envelope-from wblock@svn.freebsd.org) Received: (from wblock@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r6D3pNSR069093; Sat, 13 Jul 2013 03:51:23 GMT (envelope-from wblock@svn.freebsd.org) Message-Id: <201307130351.r6D3pNSR069093@svn.freebsd.org> From: Warren Block Date: Sat, 13 Jul 2013 03:51:23 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42267 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jul 2013 03:51:23 -0000 Author: wblock Date: Sat Jul 13 03:51:22 2013 New Revision: 42267 URL: http://svnweb.freebsd.org/changeset/doc/42267 Log: Whitespace-only fixes. Translators, please ignore. Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Jul 13 03:33:20 2013 (r42266) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Jul 13 03:51:22 2013 (r42267) @@ -2444,57 +2444,57 @@ device crypto - - - - - Tom - Rhodes - -
trhodes@FreeBSD.org
- - Written by - - - - - Configuring IPsec on &os; - - To begin, - security/ipsec-tools - must be installed from the Ports Collection. This software - provides a number of applications which support the - configuration. - - The next requirement is to create two &man.gif.4; - pseudo-devices which will be used to tunnel packets and - allow both networks to communicate properly. As - root, run the following commands, - replacing internal and - external with the real IP - addresses of the internal and external interfaces of the two - gateways: - - &prompt.root; ifconfig gif0 create - - &prompt.root; ifconfig gif0 internal1 internal2 - - &prompt.root; ifconfig gif0 tunnel external1 external2 - - In this example, the corporate LAN's - external IP address is 172.16.5.4 and its internal - IP address is 10.246.38.1. The home - LAN's external IP - address is 192.168.1.12 and its - internal private IP address is 10.0.0.5. + + + + + Tom + Rhodes + +
trhodes@FreeBSD.org
+ + Written by + + + + + Configuring IPsec on &os; + + To begin, + security/ipsec-tools + must be installed from the Ports Collection. This software + provides a number of applications which support the + configuration. + + The next requirement is to create two &man.gif.4; + pseudo-devices which will be used to tunnel packets and + allow both networks to communicate properly. As + root, run the following commands, + replacing internal and + external with the real IP + addresses of the internal and external interfaces of the two + gateways: + + &prompt.root; ifconfig gif0 create + + &prompt.root; ifconfig gif0 internal1 internal2 + + &prompt.root; ifconfig gif0 tunnel external1 external2 + + In this example, the corporate LAN's + external IP address is + 172.16.5.4 and its internal + IP address is + 10.246.38.1. The home + LAN's external IP + address is 192.168.1.12 and + its internal private IP address is + 10.0.0.5. - If this is confusing, review the following example output - from &man.ifconfig.8;: + If this is confusing, review the following example + output from &man.ifconfig.8;: - Gateway 1: + Gateway 1: gif0: flags=8051 mtu 1280 tunnel inet 172.16.5.4 --> 192.168.1.12 @@ -2508,10 +2508,10 @@ tunnel inet 192.168.1.12 --> 172.16.5 inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00 inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4 - Once complete, both internal IP - addresses should be reachable using &man.ping.8;: + Once complete, both internal IP + addresses should be reachable using &man.ping.8;: - priv-net# ping 10.0.0.5 + priv-net# ping 10.0.0.5 PING 10.0.0.5 (10.0.0.5): 56 data bytes 64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=42.786 ms 64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=19.255 ms @@ -2532,26 +2532,26 @@ PING 10.246.38.1 (10.246.38.1): 56 data 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 28.106/94.594/154.524/49.814 ms - As expected, both sides have the ability to send and - receive ICMP packets from the privately - configured addresses. Next, both gateways must be told how - to route packets in order to correctly send traffic from - either network. The following command will achieve this - goal: + As expected, both sides have the ability to send and + receive ICMP packets from the privately + configured addresses. Next, both gateways must be told how + to route packets in order to correctly send traffic from + either network. The following command will achieve this + goal: - &prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 + &prompt.root; corp-net# route add 10.0.0.0 10.0.0.5 255.255.255.0 - &prompt.root; corp-net# route add net 10.0.0.0: gateway 10.0.0.5 + &prompt.root; corp-net# route add net 10.0.0.0: gateway 10.0.0.5 - &prompt.root; priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 + &prompt.root; priv-net# route add 10.246.38.0 10.246.38.1 255.255.255.0 - &prompt.root; priv-net# route add host 10.246.38.0: gateway 10.246.38.1 + &prompt.root; priv-net# route add host 10.246.38.0: gateway 10.246.38.1 - At this point, internal machines should be reachable - from each gateway as well as from machines behind the - gateways. Again, use &man.ping.8; to confirm: + At this point, internal machines should be reachable + from each gateway as well as from machines behind the + gateways. Again, use &man.ping.8; to confirm: - corp-net# ping 10.0.0.8 + corp-net# ping 10.0.0.8 PING 10.0.0.8 (10.0.0.8): 56 data bytes 64 bytes from 10.0.0.8: icmp_seq=0 ttl=63 time=92.391 ms 64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=21.870 ms @@ -2573,15 +2573,15 @@ PING 10.246.38.1 (10.246.38.107): 56 dat 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms - Setting up the tunnels is the easy part. Configuring a - secure link is a more in depth process. The following - configuration uses pre-shared (PSK) - RSA keys. Other than the - IP addresses, the - /usr/local/etc/racoon/racoon.conf on - both gateways will be identical and look similar to: + Setting up the tunnels is the easy part. Configuring a + secure link is a more in depth process. The following + configuration uses pre-shared (PSK) + RSA keys. Other than the + IP addresses, the + /usr/local/etc/racoon/racoon.conf on + both gateways will be identical and look similar to: - path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file + path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete padding # options are not to be changed @@ -2639,33 +2639,33 @@ sainfo (address 10.246.38.0/24 any addr compression_algorithm deflate; } - For descriptions of each available option, refer to the - manual page for racoon.conf. + For descriptions of each available option, refer to the + manual page for racoon.conf. - The Security Policy Database (SPD) - needs to be configured so that &os; and - racoon are able to encrypt and - decrypt network traffic between the hosts. - - This can be achieved with a shell script, similar to the - following, on the corporate gateway. This file will be used - during system initialization and should be saved as - /usr/local/etc/racoon/setkey.conf. + The Security Policy Database (SPD) + needs to be configured so that &os; and + racoon are able to encrypt and + decrypt network traffic between the hosts. + + This can be achieved with a shell script, similar to the + following, on the corporate gateway. This file will be used + during system initialization and should be saved as + /usr/local/etc/racoon/setkey.conf. - flush; + flush; spdflush; # To the home network spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/172.16.5.4-192.168.1.12/use; spdadd 10.0.0.0/24 10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-172.16.5.4/use; - Once in place, racoon may be - started on both gateways using the following command: + Once in place, racoon may be + started on both gateways using the following command: - &prompt.root; /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log + &prompt.root; /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log - The output should be similar to the following: + The output should be similar to the following: - corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf + corp-net# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf Foreground mode. 2006-01-30 01:35:47: INFO: begin Identity Protection mode. 2006-01-30 01:35:48: INFO: received Vendor ID: KAME/racoon @@ -2678,43 +2678,43 @@ Foreground mode. 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b) 2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66) - To ensure the tunnel is working properly, switch to - another console and use &man.tcpdump.1; to view network - traffic using the following command. Replace - em0 with the network interface card as - required: - - &prompt.root; tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12 - - Data similar to the following should appear on the - console. If not, there is an issue and debugging the - returned data will be required. + To ensure the tunnel is working properly, switch to + another console and use &man.tcpdump.1; to view network + traffic using the following command. Replace + em0 with the network interface card as + required: + + &prompt.root; tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12 + + Data similar to the following should appear on the + console. If not, there is an issue and debugging the + returned data will be required. - 01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa) + 01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa) 01:47:33.022442 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xb) 01:47:34.024218 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xc) - At this point, both networks should be available and - seem to be part of the same network. Most likely both - networks are protected by a firewall. To allow traffic to - flow between them, rules need to be added to pass packets. - For the &man.ipfw.8; firewall, add the following lines to the - firewall configuration file: + At this point, both networks should be available and + seem to be part of the same network. Most likely both + networks are protected by a firewall. To allow traffic to + flow between them, rules need to be added to pass packets. + For the &man.ipfw.8; firewall, add the following lines to + the firewall configuration file: - ipfw add 00201 allow log esp from any to any + ipfw add 00201 allow log esp from any to any ipfw add 00202 allow log ah from any to any ipfw add 00203 allow log ipencap from any to any ipfw add 00204 allow log udp from any 500 to any - - The rule numbers may need to be altered depending on - the current host configuration. - + + The rule numbers may need to be altered depending on + the current host configuration. + - For users of &man.pf.4; or &man.ipf.8;, the following - rules should do the trick: + For users of &man.pf.4; or &man.ipf.8;, the following + rules should do the trick: - pass in quick proto esp from any to any + pass in quick proto esp from any to any pass in quick proto ah from any to any pass in quick proto ipencap from any to any pass in quick proto udp from any port = 500 to any port = 500 @@ -2725,16 +2725,16 @@ pass out quick proto ipencap from any to pass out quick proto udp from any port = 500 to any port = 500 pass out quick on gif0 from any to any - Finally, to allow the machine to start support for the - VPN during system initialization, add the - following lines to /etc/rc.conf: + Finally, to allow the machine to start support for the + VPN during system initialization, add the + following lines to /etc/rc.conf: - ipsec_enable="YES" + ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot racoon_enable="yes" - - + + @@ -3719,11 +3719,11 @@ VII. References - - Tom - Rhodes - Contributed by - + + Tom + Rhodes + Contributed by + @@ -3767,35 +3767,37 @@ VII. References options RACCT options RCTL - The entire system will need rebuilt. See , which will provide instructions for - the process. Once this is complete, the rctl - may be used to set rules for the system. + The entire system will need rebuilt. See + , which will provide instructions + for the process. Once this is complete, the + rctl may be used to set rules for the + system. Rule syntax is simple, controlled through the use of - a subject, a subject-id, - resource, and action. - Take the following example rule: + a subject, a + subject-id, resource, + and action. Take the following example + rule: user:trhodes:maxproc:deny=10/user - This rule shows a basic premise of a rule, here the - subject is user and the subject-id - is trhodes. The maxproc is, of course, - max number of processes, which is considered the resource. - The action here is set to deny, which blocks - any new processes from being created. In the previous example, - the user, trhodes will be constrained - to 10 (ten) processes and no greater. - Other actions are available and could be log to the console, - pass a notification to &man.devd.8;, or - send a sigterm to the process. + This rule shows a basic premise of a rule, here the subject + is user and the subject-id is + trhodes. The maxproc is, of course, max + number of processes, which is considered the resource. The + action here is set to deny, which blocks any + new processes from being created. In the previous example, the + user, trhodes will be constrained to + 10 (ten) processes and no greater. Other + actions are available and could be log to the console, pass a + notification to &man.devd.8;, or send a sigterm to the + process. Some care must be taken while adding rules. The one above - will unfortunately block my user from doing the most simple tasks - after I have logged in and executed a screen - session. When a resource limit has been hit, an error will - be printed, as in this example: + will unfortunately block my user from doing the most simple + tasks after I have logged in and executed a + screen session. When a resource limit has + been hit, an error will be printed, as in this example: &prompt.user; man test /usr/bin/man: Cannot fork: Resource temporarily unavailable @@ -3808,9 +3810,9 @@ eval: Cannot fork: Resource temporarily &prompt.root; rctl -a jail:httpd:memoryuse:deny=2G/jail Rules may also persist across reboots if they have been - added to /etc/rctl.conf. The - format is a rule, without the preceding command. For example, - the previous rule could be added like the following: + added to /etc/rctl.conf. The format is a + rule, without the preceding command. For example, the previous + rule could be added like the following: # Block jail from using more than 2G memory: jail:httpd:memoryuse:deny=2G/jail @@ -3826,7 +3828,7 @@ jail:httpd:memoryuse:deny=2G/jail&prompt.root; rctl -r user:trhodes - Many other resources exist which can be used to excert + Many other resources exist which can be used to exert additional control over various subjects. See &man.rctl.8; to learn about them.