[ previous ] [ next ] [ threads ]
 
 From:  Sven Brill <madde at gmx dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] only allow IPSEC traffic?
 Date:  Tue, 02 May 2006 07:18:24 -0400
Pieterjan Heyse wrote:
> Hello m0n0wall peeps,
>
> can someone tell me what rules are necessary to _only_ allow IPSEC
> traffic?
>   
technically, you only need IP protocol 50 (ESP) and UDP port 500, so two 
ALLOW rules and then a DROP ALL at the end should do it. Note that it 
has been a while that I played with IPSEC, mainly FreeS/WAN, but that is 
what IPSEC needs according to the specs.
> I have some wireless bridges with a m0n0wall on each side, and
> tunneling everythin over ipsec. I would like to drop all the other
> traffic, only allowing the encrypted, secure traffic.
>   
I have something similar, my OPT1 interface has a wireless access point, 
and all I allow in is UDP port 1194, so I don't need WEP or any other 
kind of pseudo-security - I just like OpenVPN's simplicity, and I use 
the same setup to get into my LAN from anywhere in the world (office, 
client sites), so IPSEC was not an option, since ESP is often blocked 
outbound on corporate networks.

Sven