Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Locking down IPSec traffic

    IPsec
    2
    3
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmischel
      last edited by

      I have pfSense running at my office and at a co-location facility.  I managed to get an IPSec tunnel set up, and am now passing traffic.  However, I'm a little bit concerned about security and would like to lock down traffic a bit.

      Currently, I have these firewall rules set up for IPSec at both locations:  (The image is included as an attachment at the bottom of this message.)

      The first two are "black magic" to me.  That is, I don't really understand why they're required, but adding them seems to have got the tunnel up and working.  The third rule is, basically, "allow anything on the IPSec tunnel."

      If I understand things correctly, that third rule only applies to the IPSec tunnel.  That is, it won't allow traffic from WAN to LAN.  Right?

      And I assume Windows (or pfSense) won't do something stupid like take an Internet request from my machine on the office LAN and route it across the tunnel to the co-location facility and out on the WAN address there.  But, really, do I need to allow IPSec -> WAN?

      I guess the better question is:  Am I exposing myself to any risk by using that third rule?  If so, what rules would you recommend I replace it with?  Mostly, I need to use Windows Remote Desktop from my office to the co-location facility.  In addition, I copy small files across and access some Web pages (like the pfSense configuration) across the tunnel.

      Any advice appreciated.

      Jim

      rules1.jpg
      rules1.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        The 'black magic' rules to make the tunnel work are created behind the scenes and apply to the WAN interface and not the IPSec interface. The IPSec rules filter the traffic coming in through the tunnel, so by the time you are there, the tunnel is up already. I would, at a minimum, restrict access on the office side IPSec tunnel (blocking traffic from the colo). Does the colo ever need to initiate a connection to the office? Possibly not, and even so, lock it down to connections coming from the colo subnet to whatever host(s) you need.  I find it handy to move the allow all rule to last and turn on logging before final lockdown. You can then scan the firewall logs for matched allows on IPSec and see what traffic will be blocked when you turn off the allow.

        1 Reply Last reply Reply Quote 0
        • J
          jmischel
          last edited by

          Thanks for the advice.  I'll go adjust my rules.

          Interestingly, the "black magic" rules weren't created automatically.  That was a huge stumbling block for me in getting the tunnel up.  I found the answer here on the forum.

          I rarely need to initiate a connection from the colo to the office.  I think I can safely lock that down completely.  On the rare occasion I need to access the office from there, I can either open it up, or create a PPTP VPN session through an alternate network.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.