[ previous ] [ next ] [ threads ]
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Apply rules against IPsec Tunnels
 Date:  Sat, 10 Mar 2007 21:25:12 -0000

Last year I had a play around with this and produced a test version of 
m0n0wall 1.21 that allowed you to filter traffic from IPSEC tunnels. 
m0n0wall works on the principal that the firewall rules are applied to an 
interface inbound, and everything is passed outbound (since its already 

However, with IPSEC traffic, encrypted traffic is passed in and then the 
decrypted traffic passes out without further inspection. In my test version 
I added an option that allowed you to apply the rule outbound instead of 
inbound, effectively allowing you to filter IPSEC traffic.

If this is something that may interest anyone I'll see if I can create a 
version based on the 1.23 image.


----- Original Message ----- 
From: "mtnbkr" <waa dash m0n0wall at revpol dot com>
To: "Kai" <kaiiiiii at gmail dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Saturday, March 10, 2007 2:50 PM
Subject: Re: [m0n0wall] Apply rules against IPsec Tunnels

> Kai wrote:
>> Can anyone show me how to create rules to restrict access on
>> established tunnels?  The default is to allow all traffic to pass
>> between remote network to the local Lan.  Can rules be setup to create
>> a sort of one way tunnel?
> Hi Kai... I am pretty sure that the rules must be applied to packets as
> the ENTER an interface of the tunnel.
> For example:
> For packets flowing from Network_A to Network_B:
> Network_A ---> m0n0wall_A >--IPSEC TUNNEL--> m0n0wall_B ---> Network_B
> The rules to block/allow traffic in this direction would be applied on
> the Network_A side of the m0n0wall_A.
> Similarly if you wanted to restrict traffic from Network_B flowing to
> Network_A, rules would need to be applied on the Network_B side of the
> m0n0wall_B.
> This works great when you control both sides of the VPN. Not so great
> when you only control one side. In cases like this where I did not
> control the other side, I have terminated VPNs on an OPT interface of
> another firewall and applied the rules I wanted/needed on that interface
> on the 3rd firewall like so:
> (heh   tried to draw it here in text like above but failed... )
> http://www.revpol.com/images/ipsectunnelplusrules.png
> Hope this helps.
> --
> Bill Arlofski
> Reverse Polarity
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch