# These rules are NOT FULLY SECURE!!!
# But it's better than running a wide-open box.
# Copy this to /etc/inet/ipsecinit.conf
#
# Enable on the fly, with ipsecconf -a /etc/inet/ipsecinit.conf
#
# For more things to ponder, see /etc/inet/ipsecinit.sample

#Allow ssh traffic to connect to us
{dport 22} bypass {dir in}
{sport 22} bypass {dir out}

#Allow us to connect OUT via ssh (second line is risky!!)
{dport 22} bypass {dir out}
{sport 22} bypass {dir in}

#Allow us to use DNS (second line is risky!!)
{dport 53} bypass {dir out}
{sport 53} bypass {dir in}

# default: only allow traffic if encrypted with known keys
# Which, since we dont have any keys set up, means deny everything else

{} permit {encr_algs 3des encr_auth_algs sha}