[ previous ] [ next ] [ threads ]
 
 From:  Robert Rich <rrich at gstisecurity dot com>
 To:  Angus Jordan <angus dot jordan at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Site-to-site VPN firewall
 Date:  Wed, 26 Jan 2005 19:46:58 -0500 
I'll second that question!

Angus Jordan wrote:

>Hello all,
>
>I sent this message yesterday but didn't get a reply.  Perhaps it was
>missed.  I will ask the question again:
> 
>On my production FreeBSD VPN machine I am running ipfw as the
>firewall.  I have about 6 site-to-site vpn's going in and out of this
>box.  They are all attached to external clients
>that I don't really want to give total access to my network.  I would
>like to replace this box with m0n0wall.
>
>From the documentation on m0n0wall, I've gleaned that you cannot use
>the firewall to limit access to specific machines if using the IPSEC
>vpn.  This seems strange to me, as I've beeing doing this for ages.
>
>I used the /exec.php page to load the ipfw module, and did some tests
>of my own.  It seems that ipfw can block this access just fine.  Is
>there no way at all of having ipfilter do the same thing?  I was using
>a rule in ipfw such as this:
>
>ipfw add allow all from 10.2.1.5 to 10.3.1.7
>ipfw add deny all from 10.2.0.0/16 to any
>
>This seems to block the traffic just fine.  Is there a workaround to
>make ipfilter work like this?
>
>Any input is appreciated.
>
>Thanks,
>Angus
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>