[ previous ] [ next ] [ threads ]
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] filtering VPN traffic
 Date:  Thu, 11 Mar 2004 08:36:16 +1000
Hi All,

On Wed, 2004-03-10 at 21:19, Manuel Kasper wrote:
> On 10.03.2004 08:31 +0100, JHead wrote:
> > I just join the group of people who would like to filtert the VPN 
> > traffic.
> > Obviously its by design not possible, isn't it?
> No - the way IPsec and ipfilter interact in FreeBSD makes it
> infeasible to filter traffic from/to VPN tunnels in a secure way.

The exact same thing happens with a Linux iptables/FreeS/WAN
implementation - the IPSEC traffic totally bypasses the firewalling
rules.  This is because it is expected that the remote network/computer
being VPNed is intended to operate as if it were on the local LAN.

If you want to restrict access to the remote LAN, then ACLs need to be
implemened on your local LAN machines to allow local but not VPN
traffic.  These need to be applied to all applicable machines.



Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.