IPSec Rules



  • Hi,

    Am sure I am missing something here, but am looking to lockdown IPSec VPN, incoming rules are easy, as they are just applied to the IPSec interface to allow incoming as needed, however is there any way to lock down outgoing traffic, have tried on IPSec interface, WAN, and LAN, and nothing appears to block any traffic?

    Sure it straighforward but can someone point my in the right direction

    PFSense version 1.2.2

    Test traffic was ICMP (all) and also test to block outgoing RDP neither was blocked

    Cheers

    J



  • The rules are applied as traffic enters the Interface. So the IPsec tab is filtering traffic incoming via the IPsec vpn. The outgoing traffic is generally filtered as it enters the LAN interface. A simple rule to block from source: lan-subnet dest: (remote subnet through tunnel) dest port: 3389 on your LAN tab should block rdp to the other side of the tunnel. This rule would need to be placed, of course, before the default allow all rule.



  • I tried this but it didn't work, but i'll give it a go again tomorrow and see if I can work out whats going on.

    J



  • I am wanting to tie down some security for the VPN tunnels I have running but I am not sure wht I am doing wrong.

    I am having somewhat the same problems as others in this post. The IPSec rules tab is straight forward, but I am not sure what's going on with the remote site.

    I have IPsec site-to-site, and both ends have static public IP's. On the remote ends I have a default rule of allow all and any on the IPsec tab. This is ok for now, but I want to tie down the security on the home office by only allowing access to certain host on the network.

    I can establish a secusseful connection from both ends when the IPsec rule is set to allow all and any on both ends. When I tried to set the home office main rule to allow from only a single host/alias on the source being the remote public IP of the remote network and then set allow any protocol, and set the source to a single host / alias in the home office. I cannot ping that host from the remote site, but I can still ping all the host on the remote network as I exspected to still be able to do since it's rule is set to allow any and all.

    I am scratching my head on why I can not ping the one host at the home office network. Keep in mind that I have only one rule set at the home office for testing reasons, so there is no way that any other rules can be voiding the situation.


Log in to reply