Hello,
In our scenario, we want to drop all the packets which doesnt have a
matching policy in egress direction. Since strongswan fills(I assume) bypass
policies at the end, these packets are getting forwarded.
I tired adding a drop policy: "ip x p add dir out src 0.0.0.0/0 dst
0.0.0.0/0 action block" manually. But this is getting added at the top or
just before the user added policies, which overrides all policies.
Is there a way to override or add a drop policy at the end of all user added
policy in egress direction?
FBM# ip x p | more
src 192.168.255.0/24 dst 192.168.255.0/24
dir in priority 0
src 20.0.0.100/32 dst 20.0.0.2/32
dir in priority 1680
tmpl src 20.0.0.100 dst 20.0.0.2
proto esp reqid 1 mode tunnel
src 30.0.0.2/32 dst 20.0.0.2/32
dir in priority 0
src 192.168.255.0/24 dst 192.168.255.0/24
dir out priority 0
*src 0.0.0.0/0 dst 0.0.0.0/0
dir out action block priority 0 ---> newly added drop policy
*src 20.0.0.2/32 dst 20.0.0.100/32
dir out priority 1680
tmpl src 20.0.0.2 dst 20.0.0.100
proto esp reqid 1 mode tunnel
src 20.0.0.2/32 dst 30.0.0.2/32
dir out priority 0
src 20.0.0.100/32 dst 20.0.0.2/32
dir fwd priority 1680
tmpl src 20.0.0.100 dst 20.0.0.2
proto esp reqid 1 mode tunnel
src 30.0.0.2/32 dst 20.0.0.2/32
dir fwd priority 0
src ::/0 dst ::/0
dir in priority 0
src ::/0 dst ::/0
dir in priority 0
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
Regards,
Swetha
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
