On Mon, 06 Dec 2004 10:38:29 +0100, Christoph Gysin <cgysin at gmx dot ch> wrote:
>
> > The example shown will only work if you have a static public IP.  I'm
> > looking for a sanity check.  If your WAN is DHCP, you'll have to set
> > the destination to any, right?
> 
> But this is not what you want. If you set destination to any, you will
> allow all https-traffic to all your hosts on the LAN.
>

That's not true unless your LAN is all public IP's, which is extremely
unlikely if you're using DHCP.  It allows HTTPS traffic to anything
that has inbound NAT on 443 or 1:1 NAT entries.  With DHCP, that
excludes the possibility of having 1:1 NAT.  You could have a
filtering bridge setup with other DHCP hosts with public IP's on
another interface, but nobody in their right mind would set up an
infrastructure like that without static public IP's.

Chances are extremely likely that if you have this kind of setup, you
have one single IP on your WAN interface.  So if you had an existing
HTTPS server, you would have to change the port number used by the
webGUI anyway, and therefore it would be a different firewall rule.

It's not an ideal situation, but chances are exceedingly likely that
this isn't going to grant access to anything but the webGUI.
 

> I did a small hack to get around this, by specifying an inbound NAT rule:
> WAN      TCP     443 (HTTPS)     10.0.0.1        443 (HTTPS)     admin
> 

That's still going to leave you with the same dilemma though, how do
you set up the firewall rule that permits access through this NAT
entry?

Thanks for your suggestions everyone.  I'm going to split up that FAQ
into DHCP and static IP sections and incorporate some of this post and
the feedback I've received.

Appreciate the help,

-Chris