VPN & Firewall - does not work together
When I turn the firewall on using my local network using the automatic setting "Block all incoming connections", I still can use the machine to surf the net, use sharing services, etc. etc.
If I connect to a dial-up service like HDSPA/UMTS with Firewall on, everything is ok too.
But if I am now connecting to my company network using VPN (PPTP, built in client), the machine refuses to connect to my DNS server. I can ping a Machine inside the VPN Network - including the DNS Server, but all DNS lookups are refused.
The DNS server is inside the VPN. The /etc/resolv.conf is correct. VPN is set to "Send all traffic over the VPN".
The only quick way to solve this, was turing the firewall off.
I do not understand why this does not work as advertised. A DNS lookup is no "incoming" Connection.
Even, if I suspect it is not a big risk to have the firewall off when I turn off all sharing services, it is safer to have it on, if I use unknown networks.
And even, If I have to turn off the Firewall, it must be possible to do that on a per Network connection base.
A normal user is not able to decide, when to turn the FW off or on. If he decides to turn it on, he should still be able to acess the net.
If I connect to a dial-up service like HDSPA/UMTS with Firewall on, everything is ok too.
But if I am now connecting to my company network using VPN (PPTP, built in client), the machine refuses to connect to my DNS server. I can ping a Machine inside the VPN Network - including the DNS Server, but all DNS lookups are refused.
The DNS server is inside the VPN. The /etc/resolv.conf is correct. VPN is set to "Send all traffic over the VPN".
The only quick way to solve this, was turing the firewall off.
I do not understand why this does not work as advertised. A DNS lookup is no "incoming" Connection.
Even, if I suspect it is not a big risk to have the firewall off when I turn off all sharing services, it is safer to have it on, if I use unknown networks.
And even, If I have to turn off the Firewall, it must be possible to do that on a per Network connection base.
A normal user is not able to decide, when to turn the FW off or on. If he decides to turn it on, he should still be able to acess the net.
Dual 2GHz G5