[ previous ] [ next ] [ threads ]
 
 From:  mtnbkr <waa dash m0n0wall at revpol dot com>
 To:  Kai <kaiiiiii at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Apply rules against IPsec Tunnels
 Date:  Sat, 10 Mar 2007 09:50:29 -0500 
Kai wrote:
> Can anyone show me how to create rules to restrict access on
> established tunnels?  The default is to allow all traffic to pass
> between remote network to the local Lan.  Can rules be setup to create
> a sort of one way tunnel?


Hi Kai... I am pretty sure that the rules must be applied to packets as
the ENTER an interface of the tunnel.


For example:

For packets flowing from Network_A to Network_B:

Network_A ---> m0n0wall_A >--IPSEC TUNNEL--> m0n0wall_B ---> Network_B

The rules to block/allow traffic in this direction would be applied on
the Network_A side of the m0n0wall_A.

Similarly if you wanted to restrict traffic from Network_B flowing to
Network_A, rules would need to be applied on the Network_B side of the
m0n0wall_B.

This works great when you control both sides of the VPN. Not so great
when you only control one side. In cases like this where I did not
control the other side, I have terminated VPNs on an OPT interface of
another firewall and applied the rules I wanted/needed on that interface
on the 3rd firewall like so:

(heh   tried to draw it here in text like above but failed... )

http://www.revpol.com/images/ipsectunnelplusrules.png


Hope this helps.

--
Bill Arlofski
Reverse Polarity