[ previous ] [ next ] [ threads ]
 
 From:  Angus Jordan <angus dot jordan at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC Site-to-site VPN firewall
 Date:  Tue, 25 Jan 2005 17:03:17 -0800
Hello all,

I've just found the m0n0wall project, and I find it quite exciting. 
However, there is something that troubles me in how IPSEC site-to-site
vpn's are implemented.  On my production FreeBSD VPN machine I am
running ipfw as the firewall.  I have about 6 site-to-site vpn's going
in and out of this box.  They are all attached to external clients
that I don't really want to give total access to my network.

From the documentation on m0n0wall, I've gleaned that you cannot use
the firewall to limit access to specific machines if using the IPSEC
vpn.  This seems strange.

I used the /exec.php page to load the ipfw module, and did some tests
of my own.  It seems that ipfw can block this access just fine.  Is
there no way at all of having ipfilter do the same thing?  I was using
a rule in ipfw such as this:

ipfw add allow all from 10.2.1.5 to 10.3.1.7
ipfw add deny all from 10.2.0.0/16 to any

This seems to work just fine.  Is there a workaround to make ipfilter
work like this, using the GUI?

Any input is appreciated.

Thanks,
Angus