Firewall rules in IPSec tunnel

daviddst

Hi,

Hoba, you said this in a previous post (IPsec tunnel looks OK but no firewall rules are generated) :

You shouldn't need any firewallrules and actually we are not yet able to filter IPSEC traffic anyway.

It's because VPN configurator automaticately add theses firewall rules ? If yes, it is possible to know how disable this feature by adding some comment in firewall configuration files (which functions and in which files) ?

Thanks a lot.

David,

hoba

You can't disable this. It's a design thing that hopefully will be solved for version 1.1 but it's too early to promise anything concerning that.

daviddst

Thanks for your reply. But this behavior come from pfSense, not from IPsec, a tweak should be possible to restrict IPSec traffic, no ?

I've commented the 2 lines below in filter.inc.

$ipfrules .= "pass out quick on {$lanif} from {$tunnel['remote-subnet']} to {$local_subnet} keep state
label "IPSEC: {$tunnel['descr']} - remote to local"\n";
                      $ipfrules .= "pass in quick on {$lanif} from {$local_subnet} to {$tunnel['remote-subnet']} keep state
label "IPSEC:  {$tunnel['descr']} - local to remote"\n";

But the VPN traffic isn't block  :(, how it's possible  ??? It is due to theses lines : "let out anything from firewall host itself" ?

Thanks,

David.

sullrich

Re-read what hoba said carefully.