[strongSwan] Default drop policy
Swetha RK
rkswetech at gmail.com
Tue Feb 22 06:04:12 CET 2011
Hello,
In our scenario, we want to drop all the packets which doesnt have a
matching policy in egress direction. Since strongswan fills(I assume) bypass
policies at the end, these packets are getting forwarded.
I tired adding a drop policy: "ip x p add dir out src 0.0.0.0/0 dst
0.0.0.0/0 action block" manually. But this is getting added at the top or
just before the user added policies, which overrides all policies.
Is there a way to override or add a drop policy at the end of all user added
policy in egress direction?
FBM# ip x p | more
src 192.168.255.0/24 dst 192.168.255.0/24
dir in priority 0
src 20.0.0.100/32 dst 20.0.0.2/32
dir in priority 1680
tmpl src 20.0.0.100 dst 20.0.0.2
proto esp reqid 1 mode tunnel
src 30.0.0.2/32 dst 20.0.0.2/32
dir in priority 0
src 192.168.255.0/24 dst 192.168.255.0/24
dir out priority 0
*src 0.0.0.0/0 dst 0.0.0.0/0
dir out action block priority 0 ---> newly added drop policy
*src 20.0.0.2/32 dst 20.0.0.100/32
dir out priority 1680
tmpl src 20.0.0.2 dst 20.0.0.100
proto esp reqid 1 mode tunnel
src 20.0.0.2/32 dst 30.0.0.2/32
dir out priority 0
src 20.0.0.100/32 dst 20.0.0.2/32
dir fwd priority 1680
tmpl src 20.0.0.100 dst 20.0.0.2
proto esp reqid 1 mode tunnel
src 30.0.0.2/32 dst 20.0.0.2/32
dir fwd priority 0
src ::/0 dst ::/0
dir in priority 0
src ::/0 dst ::/0
dir in priority 0
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
Regards,
Swetha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110222/79eafd67/attachment.html>
More information about the Users
mailing list