[ previous ] [ next ] [ threads ]
 From:  "Manny A. Wise" <mannywise at gmail dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Blocking ALL traffic only VPN allowed.
 Date:  Mon, 13 Oct 2008 19:47:59 -0400
Wow, thank you very much to everyone !!!! your replies are appreciated...
We will be trying your suggestion and report back...
I am glad we don't have to drop m0n0wall, because is runing on a thin client 
and it run very well.....
Yes, I know, it sound silly but we want to block ALL trafic... :) inbound 
and outbound...and ONLY allow the tunel... ;)
Thanks again...

Pedro Pable Roche
ingeniero de informatica

----- Original Message ----- 
From: "Klaus Stock" <ks at stock dash consulting dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, October 13, 2008 6:30 AM
Subject: Re: [m0n0wall] Blocking ALL outbound traffic

>> > We will like to block ALL the traffic in the remote office to the
>> > internet...
>> > We will create a VPN to the main offfcie using IPsec.
>> > We will like force all the traffic in the remeote office to go to our
> main
>> > office and from there out to the internet.
>> >
>> > I been told that creating the VPN is not problem, but blocking all the
>> > traffic to the internet is imposible...
>> >
>> > Is this true?????
>> Not true. I haven't done it, so somebody will correct me if I'm wrong, 
>> but
> I
>> believe it's fairly simple once you have your vpn working.
>> You will need 2 firewall rules on your remote office m0n0wall WAN
> interface.
>> The first rule allows outgoing connections to the IP address of the main
>> office. The second rule blocks all outgoing connections on the WAN. If
> your
>> m0n0wall requires DNS to set up the vpn then you may need to add an allow
>> rule before the default deny rule on the WAN to permit DNS queries.
>> Add firewall rules on the IPsec interface to control traffic through the
> vpn
>> tunnel.
>> Did I miss anything? It's getting late here.
> I don't know. Unless, however, there is a demand for INBOUND traffic which
> should be allowed to the remote office (direct inbound TCP traffic, not 
> via
> the VPN tunnel). This inbound TCP traffic will be blocked since it's
> outgoing ACK pakets will be blocked. Yes, the original poster didn't ask 
> for
> such traffic, but (strictly sproken) didn't ask for it to be blocked 
> either
> :-).
> Another way to block outgoing direct traffic to the internet would be to 
> use
> utilize the traffic shaper...by defining an appropiate pipe with a packet
> loss of 100%.
> ;-)
> Best regards, Klaus
> _________________________________________________________
> This mail sent using V-webmail - http://www.v-webmail.orgg
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch