IPSEC - All traffic is allowed without any rule! WHY?

  • Please help me to understand:

    I have a IPSEC connection connected through the WAN gateway. Everything is ok, the tunnel is successfullly connected to the remote peer.

    Here's my "problem":
    In every tutorial I read that I must have an IPSEC rule for passing the traffic, default is "block all" I don't have any rule in the RULES > IPSEC section. So my understanding is that any traffic will be blocked, but in my tunnel I can reach any remote peer (for example ping a client).

    Is this correct?

  • Firewall rules apply to traffic ENTERING the firewall on the associated interface. The default firewall rules will block pings ENTERING the firewall on the IPSEC interface but not pings LEAVING on the IPSEC interface.

  • Thank you for your quick answer!

    So how can I block every port in my IPSEC tunnel except port 80?

  • If you just have LAN, WAN and the IPsec tunnel, then incoming from WAN to anywhere is already blocked (unless you have enabled something). So you want to also block traffic from LAN heading to IPsec.
    On LAN, above the general "allow all on LAN", add:
    a) pass rule, source any, destination IPsec address/s port 80
    b) block rule, source any, destination IPsec address/s port all

Log in to reply