Am 05.01.2014 um 21:55 schrieb Christian Boltz <suse-security@cboltz.de>:
I'd like to have something that blocks the traffic to 10.7.0.1 when the VPN connection is _down_. Call it a static route for 10.7.0.1 to /dev/null ;-)
Ahh, I see. You can do that: Somewhere in /etc/init.d/boot.local or wherever you want you could put „add route -host 10.7.0.1 dev lo“ - and put in your openvpn server’s config something like route 10.7.0.1 255.255.255.255 client-config-dir /usr/local/openvpn/conf/mailserver and in /usr/local/openvpn/conf/mailserver/mailserver iroute 10.7.0.1 255.255.255.255 This should do the trick. Do not forget to re-route 10.7.0.1 to loopback once the VPN has bee shut down. BUT: I always would use TLS secured connections to my mailserver. If there would be a certificate mismatch, your MUA would complain and never submit username/password - whatever IP it is connecting to. Or use client certificates. Rainer. PS: Please do not take this literally. I had some drams of Lagavulin ;-)