[ previous ] [ next ] [ threads ]
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Manuel KASPER <mk at neon1 dot net>
 Subject:  Re: [m0n0wall] IPSEC Site-to-site VPN firewall
 Date:  Thu, 27 Jan 2005 10:42:02 +0100
> On my production FreeBSD VPN machine I am running ipfw as the
> firewall.  I have about 6 site-to-site vpn's going in and out of this
> box.  They are all attached to external clients
> that I don't really want to give total access to my network.  I would
> like to replace this box with m0n0wall.
> From the documentation on m0n0wall, I've gleaned that you cannot use
> the firewall to limit access to specific machines if using the IPSEC
> vpn.  This seems strange to me, as I've beeing doing this for ages.
> I used the /exec.php page to load the ipfw module, and did some tests
> of my own.  It seems that ipfw can block this access just fine.  Is
> there no way at all of having ipfilter do the same thing?  I was using
> a rule in ipfw such as this:
> ipfw add allow all from to
> ipfw add deny all from to any
> This seems to block the traffic just fine.  Is there a workaround to
> make ipfilter work like this?


I think the problem comes from the way ipfw and ipfilter are combined in 
m0n0wall: ipfilter does the actual traffic filtering and NAT. ipfw is 
used in combination with dummynet for traffic shaping only. It seems 
that ipfilter comes first for both incoming and outgoing packets.

I guess (and hope) this limitation comes from m0n0wall's initial design 
and could be improved in future versions, but I may be wrong on this point.

-- Vincent