Firewall rules in IPSec tunnel
-
Hi,
Hoba, you said this in a previous post (IPsec tunnel looks OK but no firewall rules are generated) :
You shouldn't need any firewallrules and actually we are not yet able to filter IPSEC traffic anyway.
It's because VPN configurator automaticately add theses firewall rules ? If yes, it is possible to know how disable this feature by adding some comment in firewall configuration files (which functions and in which files) ?
Thanks a lot.
David,
-
You can't disable this. It's a design thing that hopefully will be solved for version 1.1 but it's too early to promise anything concerning that.
-
Thanks for your reply. But this behavior come from pfSense, not from IPsec, a tweak should be possible to restrict IPSec traffic, no ?
I've commented the 2 lines below in filter.inc.
$ipfrules .= "pass out quick on {$lanif} from {$tunnel['remote-subnet']} to {$local_subnet} keep state
label "IPSEC: {$tunnel['descr']} - remote to local"\n";
$ipfrules .= "pass in quick on {$lanif} from {$local_subnet} to {$tunnel['remote-subnet']} keep state
label "IPSEC: {$tunnel['descr']} - local to remote"\n";But the VPN traffic isn't block :(, how it's possible ??? It is due to theses lines : "let out anything from firewall host itself" ?
Thanks,
David.
-
Re-read what hoba said carefully.