|
||||||||
No, you still can't put rules in place for an IPsec VPN connection... (If I'm wrong, let me know how!) It allows packets through from the remote network, but only allows the traffic out that you allow in your LAN interface destined for the remote network... So, you could restrict the traffic you can send out to the remote network. That will effectively block a port scan because any replies would never make it back to the scanner... Personally, I'd rather not have this scanning traffic on my network though. In our case, this isn't a big deal because we have another firewall right behind our VPN Monowall to block "bad" traffic from the remote site... OpenVPN support was removed from 1.2 because it wasn't quite ready for prime time... I know that a developer has put a bunch more work into OpenVPN support and has some newer test versions that he has released. There is also an issue with the way OpenVPN handles interfaces... I'm not familiar with the problem there, so I won't comment further on it. Paul -----Original Message----- From: Lew Maggio [mailto:lew at lsfc dot org] Sent: Thursday, October 27, 2005 1:52 PM To: m0n0wall at lists dot m0n0 dot ch Subject: [m0n0wall] IPsec and firewall rules I was reading the m0n0wall handbook at http://doc.m0n0.ch/handbook/ipsec-prerequisites.html and it states "The VPN tunnel *will not respond to firewall rules* at the time of this writing" I believe this is an older document, so is it supported now? Or is there another way to achieve a firewall over IPsec? I want to connect to a client with IPsec, and I want full access to their systems so I can support them and make remote, off-site backups of critical files in case of fire. However, I do not want anyone at that office to be able to connect to my network, I want to firewall it off so that a rogue user cannot scan my subnet, discover my machines, access my systems, or perform any other mischievous acts. Also, whatever happened to open VPN support in 1.2? Just curious. |