Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules in IPSec tunnel

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      daviddst
      last edited by

      Hi,

      Hoba, you said this in a previous post (IPsec tunnel looks OK but no firewall rules are generated) :

      You shouldn't need any firewallrules and actually we are not yet able to filter IPSEC traffic anyway.

      It's because VPN configurator automaticately add theses firewall rules ? If yes, it is possible to know how disable this feature by adding some comment in firewall configuration files (which functions and in which files) ?

      Thanks a lot.

      David,

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        You can't disable this. It's a design thing that hopefully will be solved for version 1.1 but it's too early to promise anything concerning that.

        1 Reply Last reply Reply Quote 0
        • D
          daviddst
          last edited by

          Thanks for your reply. But this behavior come from pfSense, not from IPsec, a tweak should be possible to restrict IPSec traffic, no ?

          I've commented the 2 lines below in filter.inc.

          $ipfrules .= "pass out quick on {$lanif} from {$tunnel['remote-subnet']} to {$local_subnet} keep state
          label "IPSEC: {$tunnel['descr']} - remote to local"\n";
                                $ipfrules .= "pass in quick on {$lanif} from {$local_subnet} to {$tunnel['remote-subnet']} keep state
          label "IPSEC:  {$tunnel['descr']} - local to remote"\n";

          But the VPN traffic isn't block  :(, how it's possible  ??? It is due to theses lines : "let out anything from firewall host itself" ?

          Thanks,

          David.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Re-read what hoba said carefully.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.