Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ipsec__updown(8) [centos man page]

_UPDOWN(8)							Executable programs							_UPDOWN(8)

NAME

       ipsec__updown - kernel and routing manipulation script

SYNOPSIS

       _updown is invoked by pluto when it has brought up a new connection. This script is used to insert the appropriate routing entries for
       IPsec operation on some kernel IPsec stacks, such as KLIPS and MAST, and may do other necessary work that is kernel or user specific, such
       as defining custom firewall rules. The interface to the script is documented in the pluto man page.

VARIABLES

       The _updown is passed along a number of variables which can be used to act differently based on the information:

       PLUTO_VERSION
	   indicates what version of this interface is being used. This document describes version 1.1. This is upwardly compatible with version
	   1.0.

       PLUTO_VERB
	   specifies the name of the operation to be performed, which can be one of prepare-host, prepare-client, up-host, up-client, down-host or
	   down-client. If the address family for security gateway to security gateway communications is IPv6, then a suffix of -v6 is added to
	   this verb.

       PLUTO_CONNECTION
	   is the name of the connection for which we are routing.

       PLUTO_NEXT_HOP
	   is the next hop to which packets bound for the peer must be sent.

       PLUTO_INTERFACE
	   is the name of the ipsec interface to be used.

       PLUTO_ME
	   is the IP address of our host.

       PLUTO_MY_CLIENT
	   is the IP address / count of our client subnet. If the client is just the host, this will be the host's own IP address / max (where max
	   is 32 for IPv4 and 128 for IPv6).

       PLUTO_MY_CLIENT_NET
	   is the IP address of our client net. If the client is just the host, this will be the host's own IP address.

       PLUTO_MY_CLIENT_MASK
	   is the mask for our client net. If the client is just the host, this will be 255.255.255.255.

       PLUTO_PEER
	   is the IP address of our peer.

       PLUTO_PEER_CLIENT
	   is the IP address / count of the peer's client subnet. If the client is just the peer, this will be the peer's own IP address / max
	   (where max is 32 for IPv4 and 128 for IPv6).

       PLUTO_PEER_CLIENT_NET
	   is the IP address of the peer's client net. If the client is just the peer, this will be the peer's own IP address.

       PLUTO_PEER_CLIENT_MASK
	   is the mask for the peer's client net. If the client is just the peer, this will be 255.255.255.255.

       PLUTO_MY_PROTOCOL
	   lists the protocols allowed over this IPsec SA.

       PLUTO_PEER_PROTOCOL
	   lists the protocols the peer allows over this IPsec SA.

       PLUTO_MY_PORT
	   lists the ports allowed over this IPsec SA.

       PLUTO_PEER_PORT
	   lists the ports the peer allows over this IPsec SA.

       PLUTO_MY_ID
	   lists our id.

       PLUTO_PEER_ID
	   lists our peer's id.

       PLUTO_PEER_CA
	   lists the peer's CA.

SEE ALSO

       ipsec(8), ipsec_pluto(8).

HISTORY

       Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/> by Michael Richardson. Original program written by Henry
       Spencer.

AUTHOR

       Paul Wouters
	   placeholder to suppress warning

libreswan							    12/16/2012								_UPDOWN(8)

Check Out this Related Man Page

securenets(4)						     Kernel Interfaces Manual						     securenets(4)

NAME

       securenets - NIS map security file

DESCRIPTION

       The  file  defines  networks  and  hosts  that  can  access the NIS maps on a server.  Each line in the file gives a network mask and a net
       address.  For example:

       The format of the file is as follows:

       o  Lines beginning with the character are treated as comments.

       o  Lines that are not comment lines contain two fields separated by white space.  The first field is a netmask, and the second field  is  a
	  network.

       o  The netmask field can be one of the following:

	      o  255.255.255.255 (IPv4)
	      o  ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (IPv6)
	      o  the string indicating that the second field is a specific host to be allowed access.

       The file can have any number of netmask/net pairs.

       When  is  started  on  the  server,  it	checks	for the existence of and reads its contents into memory if it exists.  must be stopped and
       restarted for any changes in to take effect.

       Upon startup, the netmask and the net address are converted to binary format and logical ANDed.	The result must equal the net address (the
       second address) to be legal.

       If  the netmask is 255.255.255.255 (all 1's in binary), any address in the net address argument will match it.  If any field in the netmask
       is 0, the corresponding field in the net address must be 0.  When used in this way, the portion of the addresses given as 0 acts as a  wild
       card.

       When  a	client attempts to bind to the server, checks the client's IP against those given in the file.	Again, the address is converted to
       binary and logical ANDed with the netmask.  The result must equal the net address given in the file.  If the client address does not  match
       any pairs in the file, the binding is refused with the message, "no such map in server's NIS domain".

       The file can be used to limit access to specific hosts or to subnets using the wildcard capability.

       If there are syntax errors in the file, messages are logged to the logging file (default and is not started.

       If a host has multiple interfaces, each interface address must be allowed in the securenets file for that host to have reliable NIS access.

EXAMPLES

       The following examples show entries for the file.

       Either of the following entries provides access only to the host with address 192.33.33.33:

	      or

       The following entry allows access by any host on the 192.33.33 subnet:

       For broader access, such as an entire enterprise, the following entry allows any host whose address begins with "15" to be served:

       Either of the following entries allows access for an individual IPv6 address:

	      or

       The following entry allows access for all IPv6 addresses starting with "fec0":

SEE ALSO

       ypserv(1M).

																     securenets(4)
Man Page