From: Johnson, Craig E (Craig.E.Johnson@icn.siemens.com)
Date: Wed Aug 13 2003 - 11:27:23 EDT
Thanks to all who responded. My question concerned a pingable machine that
wouldn't respond to telnet, ftp, or traceroute. This turned out to be IPSec
related, something I'm totally unfamiliar with. I've attached the offending
script below, which was being executed at startup after being called by
another S99.... script. Note the "block all incomming" line (I've found
this elsewhere as well, same programmer, same spelling error):
#!/usr/bin/ksh
# add after rtp start-up
IPSEC_CMD=/tmp/IpsecCmd$$
echo \# Allow Name server >>$IPSEC_CMD
if [ -f /etc/resolv.conf ]
then
grep "^nameserver" /etc/resolv.conf | awk '{
printf ( "{ saddr %s } bypass { dir in } \n", $2);
}'
fi >$IPSEC_CMD
echo \# Allow all out-going >>$IPSEC_CMD
echo { } bypass { dir out } >>$IPSEC_CMD
echo { saddr `uname -n` } bypass { dir in } >>$IPSEC_CMD
echo { saddr 127.0.0.1 } bypass { dir in } >>$IPSEC_CMD
echo >>$IPSEC_CMD
echo \# Block all incomming >>$IPSEC_CMD
echo { } permit { dir in encr_algs DES } >>$IPSEC_CMD
echo >>$IPSEC_CMD
echo \# Let SSH in >>$IPSEC_CMD
echo { dport 22 } bypass { dir in } >>$IPSEC_CMD
echo { sport 22 } bypass { dir in } >>$IPSEC_CMD
echo >>$IPSEC_CMD
echo \# Allow NTP server >>$IPSEC_CMD
if [ -f /etc/inet/ntp.conf ]
then
grep "^server" /etc/inet/ntp.conf | awk '{
printf ( "{ saddr %s dport 123 } bypass { dir in } \n", $2);
}'
fi >>$IPSEC_CMD
if [ -f /etc/bootparams ]
then
cat /etc/bootparams | grep -v "^#" | awk '{
printf( "{ saddr %s } bypass { dir in } \n", $1 );
}'
fi >>$IPSEC_CMD
echo \# Allow trusted hosts >>$IPSEC_CMD
if [ -f /export/home/sis/.AllowList ]
then
cat /export/home/sis/.AllowList | awk '{
if ( NF == 2 )
{
printf ( "{ saddr %s dport %s } bypass { dir in } \n", $1, $2);
} else
{
printf ( "{ saddr %s } bypass { dir in } \n", $1);
}
}'
fi >>$IPSEC_CMD
/usr/sbin/ipsecconf -f
/usr/sbin/ipsecconf -a $IPSEC_CMD -q
rm $IPSEC_CMDpsecconf -a $IPSEC_CMD -q
rm $IPSEC_CMD
Craig Johnson
Systems Administrator/Sr. Engineer
Siemens
-- ---> Please post QUESTIONS and SUMMARIES only!! <--- To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only) http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:32 EDT