[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Apply rules against IPsec Tunnels
 Date:  Tue, 20 Mar 2007 22:25:51 -0000 
Hello All,

I did get round to producing a version of m0n0wall that can filter traffic 
from IPSEC VPNs, based on 1.23.

It works by allowing you to apply interface rules outbound instead of the 
usual inbound. I've modified the GUI to let you enter these rules and the 
direction of the rule is displayed in the rule summary.

The modification is a bit of hack, as you need to put deny rules in to 
control IPSEC traffic since it is permitted by default (the reverse of 
normal traffic which is denied by default). I rather like the way that 
pfsense is using the enc0 interface to filter IPSEC traffic as that fit 
nicely into the existing model of how firewall rules are edited and 
displayed.

If you would like to try this version send me a note and I'll email you the 
image (Generic PC).

Kris.

----- Original Message ----- 
From: "Catalin Epure" <catalin dot epure at akeryards dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, March 20, 2007 6:06 AM
Subject: RE: [m0n0wall] Apply rules against IPsec Tunnels


It would be simply EXCELENT to have such a facility.
I have to use 2 m0n0 boxes to do this and I'm not happy at all about
this.
I've started to to think to look for something else, but after I've read
this mail I am more confident in the m0n0's future ;-)

Best regards
Catalin

> -----Original Message-----
> From: Bjoern Euler [mailto:lists at edain dot de]
> Sent: 11 March 2007 19:54
> To: m0n0wall at lists dot m0n0 dot ch
> Cc: Kristian Shaw
> Subject: Re: [m0n0wall] Apply rules against IPsec Tunnels
>
> On 10.03.2007 22:25 Kristian Shaw wrote:
> > Hello,
> >
> > Last year I had a play around with this and produced a test version
of
> > m0n0wall 1.21 that allowed you to filter traffic from IPSEC tunnels.
> > m0n0wall works on the principal that the firewall rules are applied
to
> > an interface inbound, and everything is passed outbound (since its
> > already filtered).
>
> > If this is something that may interest anyone I'll see if I can
create a
> > version based on the 1.23 image.
>
> Hi,
> this sounds very interesting!
> I also played with a m0n0wall version that allowed out filtering to
> catch incoming IPSec traffic but never did any GUI stuff.
>
> If you could share your modifications with this list or even put
> together a modified version based on 1.23 I'd be very happy to test
and
> use it!
>
> kind regards
> -Bjoern
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch