Firewall not working on IPsec site-to-site

lblokland

Hi,

in my 1.2.3 RC1 setup the firewall is not working in the IPsec tunnels.
The tunnels are working, but all traffic can pass over it.

It doesn't matter if I create allow/deny or no rules at all in the IPsec firewall section.

Can anyone point me in the correct direction?

Cheers,

Leon

jlepthien

That is probably because you can only set rules with the destination any on the LAN tab of the ruleset to allow traffic to all internet sites. I also just realised that and this really suckz. I want to be able to specify the outgoing interface (like WAN) on my LAN ruleset tab but that doesn't seem to be working right now. :(

Pitty

lblokland

Thats not helping….
So what is the point of the IPSec tab in the rules?

L

jlepthien

@lblokland:

Thats not helping….
So what is the point of the IPSec tab in the rules?

L

Firewalling incoming IPSec traffic?

lblokland

Yep now I understand…firewalling is only 'from' the interface (LAN/WAN/IPsec) to another address/subnet etc.
But now I want to specify the rules from an interface (LAN) to the internet....
How can I specify the 'internet' in the 'Desetinatios' option. Should I just enter the WAN address in here?

Other question, after changing rules. It looks like I have to restart the whole system before a rule is applied to the IPSec section. That is, only deny rules When I disable a deny rule, it is instantly applied. But after enabling again, it is not applied.

Cheers

GruensFroeschli

How can I specify the 'internet' in the 'Desetinatios' option. Should I just enter the WAN address in here?

"WAN address" mean exactly that: The address the pfSense has on it's WAN interface.

For the internet you can use "any".

jlepthien

@GruensFroeschli:

How can I specify the 'internet' in the 'Desetinatios' option. Should I just enter the WAN address in here?

"WAN address" mean exactly that: The address the pfSense has on it's WAN interface.

For the internet you can use "any".

Yeah, but that suckz. Any is really any. So also all IPSec tunnels, all DMZ interface etc. I want to be able to create rules that say Port 80 and 443 from LAN to WAN interface but not through the tunnel. Every firewall can do that but pfSense seems to be lacking that feature…

Pity

GruensFroeschli

Not really:
Create an alias containing all the subnets you want NOT to be accessed.
Set as destination !alias  –> (NOT alias).

Now you allow anything except the content of the alias.

lblokland

So every time we add a new site we have to make sure it is firewalled manually by adding it to the alias?
This is not very secure firewall behaviour.
I'll try to test some tomorrow.
Cheers

GruensFroeschli

It's only as secure as you make it.
pfSense is just a tool which you have to use right.
It isnt less secure by design, but less secure if you handle it wrong.

I assume you have private networks on the other side of the IPsec connection.
I would create an alias "private subnets": 192.168/16, 172.16/12, 10/8
Like this you make sure always only "internet traffic" will be allowed
And use this as destination "NOT alias".

I assume you still need access to some IPs on the other side of the tunnel. –> Create a second alias containing all the allowed destinations and have a rule above the default "allow everything NOT private".

Rule1: allowed private stuff
Rule2: allow NOT private.
(hidden Rule3: block everything)

jlepthien

Yeah but that behaviour isn't good. All other firewalls can do this stuff and here we need a cheap workaround…
That really sucks. And knowing that pfSense is using OpenBSDs PF I also know that you can do this stuff with OpenBSD cause I used it.
That is kinda lame...

sullrich

2.0 has floating rules which will make this task much easier but in 1.2 you can use 2 aliases like GruensFroeschli  said.   I have this working now on my VPN rules.

We might also add "non local networks" or "vpn networks" to the dropdown in 2.0 which should do what you are wanting I suspect.

jimp

An additional idea for your LAN rules. A slight variation on what was mentioned above.

Make an Alias containing the RFC1918 networks (10/8, 172.16/12, 192.168/16)
Make a block rule above your default allow rule that looks like

block * from LAN network to RFC1918

Then put your explicit VPN allow rule using an alias of your VPN networks above that.

Now it would no longer automatically have access to any other private networks you might configure.

So it would look like this:

pass rule for VPN traffic
block rule for RFC1918 nets
pass rule for LAN -> any

jlepthien

Thanks jimp and sullrich. That will work until the 2.0 release ;)