I have done some more work on seeing if I can create a version of m0n0wall
that allows full filtering of VPN traffic.
Not intended to be used in production, I have created a version that instead
of applying rules on each interface applies them to all interfaces instead.
This concept is similar to that used in some commercial firewalls where you
simply define source and destination addresses in rules.
The image I have produced is a proof of concept that I have only tested in a
development environment with IPSEC VPNs. I don't know how well it will cope
with other configurations or if I have missed anything that might make it
insecure. In addition, you need to start to with the default configuration
as the ruleset is slightly different in the config.xml - using an existing
configuration may produce odd results.
Although hosted on a slow link, the image is available here: