Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC - All traffic is allowed without any rule! WHY?

    2.1 Snapshot Feedback and Problems - RETIRED
    3
    4
    1314
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TomJonas last edited by

      Please help me to understand:

      I have a IPSEC connection connected through the WAN gateway. Everything is ok, the tunnel is successfullly connected to the remote peer.

      Here's my "problem":
      In every tutorial I read that I must have an IPSEC rule for passing the traffic, default is "block all" I don't have any rule in the RULES > IPSEC section. So my understanding is that any traffic will be blocked, but in my tunnel I can reach any remote peer (for example ping a client).

      Is this correct?

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob last edited by

        Firewall rules apply to traffic ENTERING the firewall on the associated interface. The default firewall rules will block pings ENTERING the firewall on the IPSEC interface but not pings LEAVING on the IPSEC interface.

        1 Reply Last reply Reply Quote 0
        • T
          TomJonas last edited by

          Thank you for your quick answer!

          So how can I block every port in my IPSEC tunnel except port 80?

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis last edited by

            If you just have LAN, WAN and the IPsec tunnel, then incoming from WAN to anywhere is already blocked (unless you have enabled something). So you want to also block traffic from LAN heading to IPsec.
            On LAN, above the general "allow all on LAN", add:
            a) pass rule, source any, destination IPsec address/s port 80
            b) block rule, source any, destination IPsec address/s port all

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy