[ previous ] [ next ] [ threads ]
 
 From:  Mat Murdock <mmurdock underscore lists at kimballequipment dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Site-to-site VPN firewall
 Date:  Wed, 26 Jan 2005 22:33:09 -0700
A third from me.  Been thinking about this lately.

Mat


Robert Rich wrote:

> I'll second that question!
>
> Angus Jordan wrote:
>
>> Hello all,
>>
>> I sent this message yesterday but didn't get a reply.  Perhaps it was
>> missed.  I will ask the question again:
>>
>> On my production FreeBSD VPN machine I am running ipfw as the
>> firewall.  I have about 6 site-to-site vpn's going in and out of this
>> box.  They are all attached to external clients
>> that I don't really want to give total access to my network.  I would
>> like to replace this box with m0n0wall.
>>
>> From the documentation on m0n0wall, I've gleaned that you cannot use
>> the firewall to limit access to specific machines if using the IPSEC
>> vpn.  This seems strange to me, as I've beeing doing this for ages.
>>
>> I used the /exec.php page to load the ipfw module, and did some tests
>> of my own.  It seems that ipfw can block this access just fine.  Is
>> there no way at all of having ipfilter do the same thing?  I was using
>> a rule in ipfw such as this:
>>
>> ipfw add allow all from 10.2.1.5 to 10.3.1.7
>> ipfw add deny all from 10.2.0.0/16 to any
>>
>> This seems to block the traffic just fine.  Is there a workaround to
>> make ipfilter work like this?
>>
>> Any input is appreciated.
>>
>> Thanks,
>> Angus
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>  
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch