> > The modification is a bit of hack, as you need to put deny rules in
> > control IPSEC traffic since it is permitted by default (the reverse
> > normal traffic which is denied by default). I rather like the way
> > pfsense is using the enc0 interface to filter IPSEC traffic as that
> > nicely into the existing model of how firewall rules are edited and
> > displayed.
> Frankly, the lack of control over IPSec connections in m0n0wall may be
> one of the most glaring shortcomings of the entire firewall. It is
> rare indeed, beyond home users, that a company can allow anyone who
> gets a VPN set up access to everything.
> My m0n0 is in home use, so it's not a huge deal - the firewall at work
> to which I VPN does have the ability to block traffic and it gets
> controlled there, but it is still something that should go on the
> official to-do list for m0n0, in my humble opinion, to solve this
> without having to resort to hacks.
> Yes, I know I can go with pfsense instead, but besides this issue that
> is not critical for me m0n0 is perfect for me.
I would agree with this. The IPSEC implementation as it stands gives too
much scope for people to 'accidentally' leave their network wide open.