[ previous ] [ next ] [ threads ]
 From:  "Klaus Stock" <ks at stock dash consulting dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Blocking ALL outbound traffic
 Date:  Mon, 13 Oct 2008 12:30:28 +0200
> > We will like to block ALL the traffic in the remote office to the
> > internet...
> > We will create a VPN to the main offfcie using IPsec.
> > We will like force all the traffic in the remeote office to go to our
> > office and from there out to the internet.
> >
> > I been told that creating the VPN is not problem, but blocking all the
> > traffic to the internet is imposible...
> >
> > Is this true?????
> Not true. I haven't done it, so somebody will correct me if I'm wrong, but
> believe it's fairly simple once you have your vpn working.
> You will need 2 firewall rules on your remote office m0n0wall WAN
> The first rule allows outgoing connections to the IP address of the main
> office. The second rule blocks all outgoing connections on the WAN. If
> m0n0wall requires DNS to set up the vpn then you may need to add an allow
> rule before the default deny rule on the WAN to permit DNS queries.
> Add firewall rules on the IPsec interface to control traffic through the
> tunnel.
> Did I miss anything? It's getting late here.

I don't know. Unless, however, there is a demand for INBOUND traffic which
should be allowed to the remote office (direct inbound TCP traffic, not via
the VPN tunnel). This inbound TCP traffic will be blocked since it's
outgoing ACK pakets will be blocked. Yes, the original poster didn't ask for
such traffic, but (strictly sproken) didn't ask for it to be blocked either

Another way to block outgoing direct traffic to the internet would be to use
utilize the traffic shaper...by defining an appropiate pipe with a packet
loss of 100%.


Best regards, Klaus
This mail sent using V-webmail - http://www.v-webmail.orgg