Re: [m0n0wall] IPSEC Issues site-to-site ver 1.22

From:	"Don Munyak" <don dot munyak at gmail dot com>
To:	"Wilfred E. Savery" <wilfred dot savery at innovadotnet dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IPSEC Issues site-to-site ver 1.22
Date:	Mon, 8 May 2006 16:15:35 -0400

On 1/8/06, Wilfred E. Savery <wilfred dot savery at innovadotnet dot com> wrote:
> But by default the rule say allow any from any, so I guess this Rule is
> already taken in account.
>
> Default LAN -> any
> Proto | Source  |  Port  | Destination  | Port |
>   *     LAN net     *           *          *

No...That's the LAN rule.

By default ALL traffic is blocked inbound from the WAN, unless the
traffic "originated" from the LAN first. Since IPSEC is from WAN
interface to WAN interface, the router doesn't have a chance to see if
the request came from the LAN (in simple terms)

By specifically allowing ESP *  *  *  *, you are effectively saying
you will allow ESP from anyone, but, since you setup your IPSEC rules
to/from specific IP's, realistically only that traffic is accepted.

I guess also by saying ESP to ANY from ANY, you are also allowing a
LAN workstation to setup an IPSEC connection originating from the LAN.

~Don