RE: [m0n0wall] Apply rules against IPsec Tunnels

From:	"Adam Armstrong" <lists at memetic dot org>
To:	"'Kimmo Jaskari'" <kimmo dot jaskari at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Apply rules against IPsec Tunnels
Date:	Wed, 21 Mar 2007 13:17:51 -0000

> > The modification is a bit of hack, as you need to put deny rules in
> to
> > control IPSEC traffic since it is permitted by default (the reverse
> of
> > normal traffic which is denied by default). I rather like the way
> that
> > pfsense is using the enc0 interface to filter IPSEC traffic as that
> fit
> > nicely into the existing model of how firewall rules are edited and
> > displayed.
> 
> Frankly, the lack of control over IPSec connections in m0n0wall may be
> one of the most glaring shortcomings of the entire firewall. It is
> rare indeed, beyond home users, that a company can allow anyone who
> gets a VPN set up access to everything.
> 
> My m0n0 is in home use, so it's not a huge deal - the firewall at work
> to which I VPN does have the ability to block traffic and it gets
> controlled there, but it is still something that should go on the
> official to-do list for m0n0, in my humble opinion, to solve this
> without having to resort to hacks.
> 
> Yes, I know I can go with pfsense instead, but besides this issue that
> is not critical for me m0n0 is perfect for me.

I would agree with this. The IPSEC implementation as it stands gives too
much scope for people to 'accidentally' leave their network wide open.

Thanks,
Adam.