IPSEC filtering now present in recent snapshots


    IPSEC Filtering is now present in the 1.0.X branch first appearing in
    todays snapshot.

    By default on upgrade we will install a default PASS rule for the
    IPSEC interface to permit traffic.  So basically anyone upgrading will
    not see a difference.  However, you can edit the default rule and
    introduce fine grain control of the IPSEC tunnels if you wish.

    The feature will appear in todays snapshot which is currently building
    located at http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

    Have fun!

  • HI Scott, the filtering is most welcome.
    I have tested the filtering through IPSEC tunnels on 1.0.1-SNAPSHOT-03-15-2007, and after rejecting any -any in IPSEC rules, i can still send traffic through the tunnels.

    Are the filtering just for Mobile clients or should the tunnels be filtered too?


  • A new ruleset is only applied for new connections. If there are old states they will still be allowed until they are closed or time out. Make sure you don't test with old states (maybe do a diagnostisc>states, reset states).

  • I did reset the states, delete both IPSEC SA, but i can still ping a host at the remote site.


  • This is for incoming traffic. Traffic that is sent from the remote end to you through the tunnel. If you have a pass any rule at lan it alows traffic to go into the tunnel fo course. You have to test this coming from the m0n0 end pinging through the tunnel.

  • I just noticed that. Thanks, i'll keep that in mind.


  • So it is working correctly now?

  • Yes, perfect.

Log in to reply