[ previous ] [ next ] [ threads ]
 
 From:  Raphael Maunier <raphael at maunier dot net>
 To:  Mat Murdock <mmurdock underscore lists at kimballequipment dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Site-to-site VPN firewall
 Date:  Thu, 27 Jan 2005 08:59:44 +0100 
Hi,

I have the same problem with my config.
I currently testing openvpn with m0n0wall as firewall rules can't be 
applied to ipsec tunnel. It's the same problem for Traffic shapper.
You can also use 2 boxes : One for the ipsec endpoint connected from 
your wan side to your Isp and on the lan side to the other M0n0  with a 
/30 (or /29 ... ) and then you can add you're requested filters ( and 
also shapping if needed ).

Regards,
Raphaël

Mat Murdock wrote:

> A third from me.  Been thinking about this lately.
>
> Mat
>
>
> Robert Rich wrote:
>
>> I'll second that question!
>>
>> Angus Jordan wrote:
>>
>>> Hello all,
>>>
>>> I sent this message yesterday but didn't get a reply.  Perhaps it was
>>> missed.  I will ask the question again:
>>>
>>> On my production FreeBSD VPN machine I am running ipfw as the
>>> firewall.  I have about 6 site-to-site vpn's going in and out of this
>>> box.  They are all attached to external clients
>>> that I don't really want to give total access to my network.  I would
>>> like to replace this box with m0n0wall.
>>>
>>> From the documentation on m0n0wall, I've gleaned that you cannot use
>>> the firewall to limit access to specific machines if using the IPSEC
>>> vpn.  This seems strange to me, as I've beeing doing this for ages.
>>>
>>> I used the /exec.php page to load the ipfw module, and did some tests
>>> of my own.  It seems that ipfw can block this access just fine.  Is
>>> there no way at all of having ipfilter do the same thing?  I was using
>>> a rule in ipfw such as this:
>>>
>>> ipfw add allow all from 10.2.1.5 to 10.3.1.7
>>> ipfw add deny all from 10.2.0.0/16 to any
>>>
>>> This seems to block the traffic just fine.  Is there a workaround to
>>> make ipfilter work like this?
>>>
>>> Any input is appreciated.
>>>
>>> Thanks,
>>> Angus
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>  
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>