|
||||||||
> > We will like to block ALL the traffic in the remote office to the > > internet... > > We will create a VPN to the main offfcie using IPsec. > > We will like force all the traffic in the remeote office to go to our main > > office and from there out to the internet. > > > > I been told that creating the VPN is not problem, but blocking all the > > traffic to the internet is imposible... > > > > Is this true????? > > Not true. I haven't done it, so somebody will correct me if I'm wrong, but I > believe it's fairly simple once you have your vpn working. > > You will need 2 firewall rules on your remote office m0n0wall WAN interface. > The first rule allows outgoing connections to the IP address of the main > office. The second rule blocks all outgoing connections on the WAN. If your > m0n0wall requires DNS to set up the vpn then you may need to add an allow > rule before the default deny rule on the WAN to permit DNS queries. > > Add firewall rules on the IPsec interface to control traffic through the vpn > tunnel. > > Did I miss anything? It's getting late here. I don't know. Unless, however, there is a demand for INBOUND traffic which should be allowed to the remote office (direct inbound TCP traffic, not via the VPN tunnel). This inbound TCP traffic will be blocked since it's outgoing ACK pakets will be blocked. Yes, the original poster didn't ask for such traffic, but (strictly sproken) didn't ask for it to be blocked either :-). Another way to block outgoing direct traffic to the internet would be to use utilize the traffic shaper...by defining an appropiate pipe with a packet loss of 100%. ;-) Best regards, Klaus _________________________________________________________ This mail sent using V-webmail - http://www.v-webmail.orgg |