Hello,
I have a IPSec vpn setup (and working) but I need to filter traffic going across it. I can filter the outbound traffic by using a firewall policy on my outbound wan port (eth0/out). But how do I filter incoming traffic?
Here's my firewall:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_in {
default-action accept
description "Allow LAN to any"
rule 1 {
action accept
description "All Traffic"
log disable
protocol all
}
}
name WAN_Inbound {
default-action drop
description "Inbound traffic from WAN"
rule 10 {
action accept
description "VPN"
destination {
address *LOCAL SUBNET*
}
log disable
protocol all
source {
address *REMOTE SUBNET*
}
}
rule 20 {
action accept
description "Allow established and related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL {
default-action drop
description ""
rule 10 {
action accept
description "VPN"
destination {
address *LOCAL SUBNET*
}
log disable
protocol all
source {
address *REMOTE SUBNET*
}
state {
established enable
invalid disable
new enable
related enable
}
}
rule 20 {
action accept
description "Est and Rel"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 30 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_OUT {
default-action accept
description ""
rule 1 {
action accept
description "VPN"
destination {
address *REMOTE SUBNET*
}
log disable
protocol all
source {
address *LOCAL SUBNET*
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
} Here's my vpn:
vpn {
ipsec {
auto-update 3600
auto-firewall-nat-exclude enable
disable-uniqreqids
esp-group HQ {
compression disable
lifetime 28800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group HQ {
dead-peer-detection {
action restart
interval 60
}
lifetime 28800
mode main
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal disable
site-to-site {
peer R.R.R.R {
authentication {
mode pre-shared-secret
pre-shared-secret failure2comm
}
connection-type initiate
default-esp-group HQ
ike-group HQ
local-address L.L.L.L
tunnel 1 {
esp-group HQ
local {
prefix LS.LS.LS.LS/16
}
remote {
prefix RS.RS.RS.RS/24
}
}
}
}
}
}Any help is greatly apreciated!!!
Thanks,