5. IPSEC - All traffic is allowed without any rule! WHY?

IPSEC - All traffic is allowed without any rule! WHY?

  • T

    Please help me to understand:

    I have a IPSEC connection connected through the WAN gateway. Everything is ok, the tunnel is successfullly connected to the remote peer.

    Here's my "problem":
    In every tutorial I read that I must have an IPSEC rule for passing the traffic, default is "block all" I don't have any rule in the RULES > IPSEC section. So my understanding is that any traffic will be blocked, but in my tunnel I can reach any remote peer (for example ping a client).

    Is this correct?

    0
  • W

    Firewall rules apply to traffic ENTERING the firewall on the associated interface. The default firewall rules will block pings ENTERING the firewall on the IPSEC interface but not pings LEAVING on the IPSEC interface.

    0
  • T

    Thank you for your quick answer!

    So how can I block every port in my IPSEC tunnel except port 80?

    0
  • P

    If you just have LAN, WAN and the IPsec tunnel, then incoming from WAN to anywhere is already blocked (unless you have enabled something). So you want to also block traffic from LAN heading to IPsec.
    On LAN, above the general "allow all on LAN", add:
    a) pass rule, source any, destination IPsec address/s port 80
    b) block rule, source any, destination IPsec address/s port all

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy