Firewall rules in IPSec tunnel

daviddst · Mar 2, 2006, 4:22 PM

Hi,

Hoba, you said this in a previous post (IPsec tunnel looks OK but no firewall rules are generated) :

You shouldn't need any firewallrules and actually we are not yet able to filter IPSEC traffic anyway.

It's because VPN configurator automaticately add theses firewall rules ? If yes, it is possible to know how disable this feature by adding some comment in firewall configuration files (which functions and in which files) ?

Thanks a lot.

David,

hoba · Mar 3, 2006, 5:44 AM

You can't disable this. It's a design thing that hopefully will be solved for version 1.1 but it's too early to promise anything concerning that.

daviddst · Mar 3, 2006, 11:05 AM

Thanks for your reply. But this behavior come from pfSense, not from IPsec, a tweak should be possible to restrict IPSec traffic, no ?

I've commented the 2 lines below in filter.inc.

$ipfrules .= "pass out quick on {$lanif} from {$tunnel['remote-subnet']} to {$local_subnet} keep state
label "IPSEC: {$tunnel['descr']} - remote to local"\n";
$ipfrules .= "pass in quick on {$lanif} from {$local_subnet} to {$tunnel['remote-subnet']} keep state
label "IPSEC: {$tunnel['descr']} - local to remote"\n";

But the VPN traffic isn't block :(, how it's possible ??? It is due to theses lines : "let out anything from firewall host itself" ?

Thanks,

David.

sullrich · Mar 3, 2006, 10:03 PM

Re-read what hoba said carefully.