Wow, thank you very much to everyone !!!! your replies are appreciated...
We will be trying your suggestion and report back...
I am glad we don't have to drop m0n0wall, because is runing on a thin client
and it run very well.....
Yes, I know, it sound silly but we want to block ALL trafic... :) inbound
and outbound...and ONLY allow the tunel... ;)
Pedro Pable Roche
ingeniero de informatica
----- Original Message -----
From: "Klaus Stock" <ks at stock dash consulting dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, October 13, 2008 6:30 AM
Subject: Re: [m0n0wall] Blocking ALL outbound traffic
>> > We will like to block ALL the traffic in the remote office to the
>> > internet...
>> > We will create a VPN to the main offfcie using IPsec.
>> > We will like force all the traffic in the remeote office to go to our
>> > office and from there out to the internet.
>> > I been told that creating the VPN is not problem, but blocking all the
>> > traffic to the internet is imposible...
>> > Is this true?????
>> Not true. I haven't done it, so somebody will correct me if I'm wrong,
>> believe it's fairly simple once you have your vpn working.
>> You will need 2 firewall rules on your remote office m0n0wall WAN
>> The first rule allows outgoing connections to the IP address of the main
>> office. The second rule blocks all outgoing connections on the WAN. If
>> m0n0wall requires DNS to set up the vpn then you may need to add an allow
>> rule before the default deny rule on the WAN to permit DNS queries.
>> Add firewall rules on the IPsec interface to control traffic through the
>> Did I miss anything? It's getting late here.
> I don't know. Unless, however, there is a demand for INBOUND traffic which
> should be allowed to the remote office (direct inbound TCP traffic, not
> the VPN tunnel). This inbound TCP traffic will be blocked since it's
> outgoing ACK pakets will be blocked. Yes, the original poster didn't ask
> such traffic, but (strictly sproken) didn't ask for it to be blocked
> Another way to block outgoing direct traffic to the internet would be to
> utilize the traffic shaper...by defining an appropiate pipe with a packet
> loss of 100%.
> Best regards, Klaus
> This mail sent using V-webmail - http://www.v-webmail.orgg
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch