I offer great praise to the person who can answer my questions definitively!
I read the FAQ and many threads in the archive and can't seem to get a
definitive answer that is consistent with my results. I want to use the
built-in PPTP server but I want to disable access to certain interfaces
(specifically the WAN interface).
I am running version * 1.11, *built on Thu Nov 11 23:02:41 CET 2004.
The FAQ at http://m0n0.ch/wall/docbook/faq-limitpptp.html reads,
"Configure your firewall rules on the WAN interface permitting TCP 1723
only from hosts you want to use PPTP.". This suggestion is supported by
several postings in the archive.
I added these rules (and various flavors of these rules) to my "WAN
1: BLOCK proto TCP, src: *, port: *, dest: *, port: 1723
2: BLOCK proto GRE, src: *, port: *, dest: *, port: *
When I do a remote scan of the WAN interface, TCP port 1723 is open. I
have tried changing the dest address to the WAN interface address with
the same results. At one point I used a sledge hammer and blocked
everything - 1723 was still open.
When I look at the status.php page, I see something that looks like port
1723 is getting redirected even before my first blocking rule is
considered. I did not add this rule - it would have to be something
that m0n0wall adds by default. I am not sure if this might be the
source of the problem (if it is, I am not sure what I can do about it).
Okay, my questions with the promise of "great praise" for the definitive
1. Is it possible to enable the PPTP server and disable access on a
specific interface (either through port blocking or otherwise).
2. If the answer to #1 is yes, how or what rule(s) should be added?
Please be explicit, not just "block 1723" (even if your response treats
me like an idiot, I will praise you if it helps!).
3. If the answer to #1 is no, who do I need to contact to update the
FAQ. Hopefully this thread will correct any confusion from earlier posts.
And a few comments... I really like m0n0wall so far.. easy to setup, no
hard drive, good basic functionality and a great price. I am not a big
fan of the "behind the scenes" rules (any rule that is added without it
being listed on the rules page) - I think they create an unnecessary
security risk. I would prefer to see a feature on the PPTP setup page
that would add the rule for you (with a confirmation) to make it easy
for the average user, but then the rule would be visible on the rules
Thanks in advance to anybody that helps with this!
And just to help make this thread a good reference, some links to other
threads on this subject: