Re: Encrypt some services with ipsec

[EMAIL PROTECTED] Mon, 26 Sep 2005 00:57:05 -0700

Thank you bigby!!!!.


Bigby Findrake wrote:

On Sat, 24 Sep 2005, [EMAIL PROTECTED] wrote:

Hi all,

 I have two prodction servers with FreeBSD 5.4 (all security patches
are applied). They running some services like dns, ssh, http, ftp, etc.
But I woukd like to encrypt some services for some hosts with ipsec when
it is accessed. For example:

 - DNS resolution: not encrypted.
 - DNS replication master-slave: encrypted by ipsec.
 - Telnet: encrypted by ipsec for some hosts. Deny for the rest.
 - SSH: not encrypted for some hosts, encryted by ipsec for the rest.
 - FTP: encrypted by ipsec.
 - HTTP: encrypted by ipsec.

 is it possible to encrypt only certains services under ipsec tunnel??



Someone please check my work.

From the man page on setkey, it looks like you can specify ports for the

security policies, so you could specify certain ports to encrypt, and not
specify a blanket/default host-to-host policy for all other traffic, so
that all other unspecified traffic is unencrypted.

For example:

---------------------BEGIN /ETC/IPSEC.CONF-------------------------------
#
# encrypt all dns traffic between master host A (1.1.1.1) slave host B
# (1.1.1.2)
spadd 1.1.1.1 1.1.1.2[53] any -P out ipsec esp/transport//use;
spadd 1.1.1.2[53] 1.1.1.1 any -P in ipsec esp/transport//use;

spadd 1.1.1.1[53] 1.1.1.2 any -P out ipsec esp/transport//use;
spadd 1.1.1.2 1.1.1.1[53] any -P in ipsec esp/transport//use;

#
# encrypt telnet traffic between server A (1.1.1.1) and client C (1.1.1.3)
spadd 1.1.1.1[23] 1.1.1.3 any -P out ipsec esp/transport//use;
spadd 1.1.1.3 1.1.1.1[23] any -P in ipsec esp/transport//use;

#
# encrypt http traffic between server A (1.1.1.1) and client D (1.1.1.4)
spadd 1.1.1.1[80] 1.1.1.4 any -P out ipsec esp/transport//use;
spadd 1.1.1.4 1.1.1.1[80] any -P in ipsec esp/transport//use;

#
# and all other traffic is unencrypted.
---------------------END /ETC/IPSEC.CONF-------------------------------



/-------------------------------------------------------------------------/
I used to hate weddings; all the Grandmas would poke me and
say, "You're next sonny!" They stopped doing that when i
started to do it to them at funerals.

                    finger://[EMAIL PROTECTED]
                    http://www.ephemeron.org/~bigby/
                news://news.ephemeron.org/alt.lemurs
/-------------------------------------------------------------------------/


--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Encrypt some services with ipsec

Reply via email to