I think this will be relatively simple to achieve, but I can't get over the final hurdle:-
I have a site (A) connected via VPN. At the moment 'inter-site' traffic i.e. between me, the site in question and any other connected sites is allowed. However, I wish this remote site to only be able to access the internet (locally connected via the SRX) and not the wider internal network (for security reasons), but I need to maintain 'admin' of this site from my location. We use OSPF for routing. I think the solution is to leave OSPF alone and configure a local firewall rule(s) of some sort on the remote SRX or perhaps apply a filter?!
Sounds like you currently have a site to site vpn that is route based using ospf from the remote site to the hub.
There will be a securiity policy on both the hub and the remote site that allows traffic from this vpn. Based on your message this is likely an allow all policy. You can find that by looking at the security zone name for the tunnel interface and the zone name for the local traffic.
On the remote site:
show configuration security zones | display set | match st0.x <<tunnel interface then put in the local interface
Using these names:
show security policy from-zone VPN_NAME to-zone LOCAL_NAME
show security policy from-zone LOCAL_NAME to-zone VPN_NAME
Now you can create new policies in these zone to zone locations that include the restrictions you want to enforce and delete this current policyies.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home