Firewall rules in IPSec tunnel



  • Hi,

    Hoba, you said this in a previous post (IPsec tunnel looks OK but no firewall rules are generated) :

    You shouldn't need any firewallrules and actually we are not yet able to filter IPSEC traffic anyway.

    It's because VPN configurator automaticately add theses firewall rules ? If yes, it is possible to know how disable this feature by adding some comment in firewall configuration files (which functions and in which files) ?

    Thanks a lot.

    David,



  • You can't disable this. It's a design thing that hopefully will be solved for version 1.1 but it's too early to promise anything concerning that.



  • Thanks for your reply. But this behavior come from pfSense, not from IPsec, a tweak should be possible to restrict IPSec traffic, no ?

    I've commented the 2 lines below in filter.inc.

    $ipfrules .= "pass out quick on {$lanif} from {$tunnel['remote-subnet']} to {$local_subnet} keep state
    label "IPSEC: {$tunnel['descr']} - remote to local"\n";
                          $ipfrules .= "pass in quick on {$lanif} from {$local_subnet} to {$tunnel['remote-subnet']} keep state
    label "IPSEC:  {$tunnel['descr']} - local to remote"\n";

    But the VPN traffic isn't block  :(, how it's possible  ??? It is due to theses lines : "let out anything from firewall host itself" ?

    Thanks,

    David.



  • Re-read what hoba said carefully.


Locked