Re: [m0n0wall] 1.2b7 HEADS UP- IPFilter rules won't stop ICMP on LAN interface

From:	Chris Buechler <cbuechler at gmail dot com>
To:	=?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] 1.2b7 HEADS UP- IPFilter rules won't stop ICMP on LAN interface
Date:	Tue, 24 May 2005 21:11:54 -0400

On 5/24/05, • • <googl3meister at gmail dot com> wrote:
> Hi,
> 
> I've noticed that even with no rules to allow incoming ICMP to the LAN
> interface, m0n0wall can still be pinged from the LAN side.  Worse,
> specifically creating a rule to deny everything not explicitly allowed
> has the same result! (Yes, I remember to hit Apply after saving the
> rules.)
> 

Yes, this is by design and has always been this way.  You can't drop
any traffic destined to the LAN IP by default, so people can't lock
themselves out of the GUI.  There's a checkbox on the Advanced page
called "Disable webGUI anti-lockout rule".  Check that, and you can
filter on the LAN IP all you want.

-Chris