[ previous ] [ next ] [ threads ]
 From:  Paul Taylor <PaulTaylor at winn dash dixie dot com>
 To:  Lew Maggio <lew at lsfc dot org>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPsec and firewall rules
 Date:  Thu, 27 Oct 2005 14:01:46 -0400
No, you still can't put rules in place for an IPsec VPN connection...  (If
I'm wrong, let me know how!)  

It allows packets through from the remote network, but only allows the
traffic out that you allow in your LAN interface destined for the remote
network...  So, you could restrict the traffic you can send out to the
remote network.  That will effectively block a port scan because any replies
would never make it back to the scanner...  Personally, I'd rather not have
this scanning traffic on my network though.  In our case, this isn't a big
deal because we have another firewall right behind our VPN Monowall to block
"bad" traffic from the remote site...

OpenVPN support was removed from 1.2 because it wasn't quite ready for prime
time... I know that a developer has put a bunch more work into OpenVPN
support and has some newer test versions that he has released.  There is
also an issue with the way OpenVPN handles interfaces...  I'm not familiar
with the problem there, so I won't comment further on it.


-----Original Message-----
From: Lew Maggio [mailto:lew at lsfc dot org] 
Sent: Thursday, October 27, 2005 1:52 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] IPsec and firewall rules

I was reading the m0n0wall handbook at
http://doc.m0n0.ch/handbook/ipsec-prerequisites.html and it states "The VPN
tunnel *will not respond to firewall rules* at the time of this writing"

I believe this is an older document, so is it supported now? Or is there
another way to achieve a firewall over IPsec? I want to connect to a client
with IPsec, and I want full access to their systems so I can support them
and make remote, off-site backups of critical files in case of fire.
However, I do not want anyone at that office to be able to connect to my
network, I want to firewall it off so that a rogue user cannot scan my
subnet, discover my machines, access my systems, or perform any other
mischievous acts.

Also, whatever happened to open VPN support in 1.2? Just curious.