[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Apply rules against IPsec Tunnels
 Date:  Tue, 20 Mar 2007 19:21:28 +0000

In message
<21B81F6F07F1F246AAB2E56B42BCD1CA1C146B at sanab12 dot akerbraila dot ro>, Catalin
Epure <catalin dot epure at akeryards dot com> writes
>It would be simply EXCELENT to have such a facility.
>I have to use 2 m0n0 boxes to do this and I'm not happy at all about
>I've started to to think to look for something else, but after I've read
>this mail I am more confident in the m0n0's future ;-)
>Best regards
>> -----Original Message-----
>> From: Bjoern Euler [mailto:lists at edain dot de]
>> Sent: 11 March 2007 19:54
>> To: m0n0wall at lists dot m0n0 dot ch
>> Cc: Kristian Shaw
>> Subject: Re: [m0n0wall] Apply rules against IPsec Tunnels
>> On 10.03.2007 22:25 Kristian Shaw wrote:
>> > Hello,
>> >
>> > Last year I had a play around with this and produced a test version
>> > m0n0wall 1.21 that allowed you to filter traffic from IPSEC tunnels.
>> > m0n0wall works on the principal that the firewall rules are applied
>> > an interface inbound, and everything is passed outbound (since its
>> > already filtered).
>> > If this is something that may interest anyone I'll see if I can
>create a
>> > version based on the 1.23 image.
>> Hi,
>> this sounds very interesting!
>> I also played with a m0n0wall version that allowed out filtering to
>> catch incoming IPSec traffic but never did any GUI stuff.
>> If you could share your modifications with this list or even put
>> together a modified version based on 1.23 I'd be very happy to test
>> use it!

This is something I'd also be very interested in.  I provide remote
support for a network in a shop.  They also have m0n0wall which I
administer but I would prefer to enforce all the rules on my m0n0wall
that no one else can change, as opposed to theirs that could possibly
change but is unlikely.

It is also something that larger operations need as they can't let their
suppliers have carte blanche access to their entire network.

Would it not be as simple as having an 'inbound' or 'outbound' option
against each rule?  This could be hidden by default and default to
'inbound' but those that need it would be able to enable it.

Just my 2p,


Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk