[ previous ] [ next ] [ threads ]
 
 From:  mtnbkr <waa dash m0n0wall at revpol dot com>
 To:  Mike <lists at southwestech dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Block hosts from Webgui
 Date:  Thu, 09 Aug 2007 18:02:09 -0400
Mike wrote:
> I have a scenario I am having difficulty with. I am needing to block
> access to the Webgui from a range of hosts, yet allow access to the
> GUI
> from 3 particular hosts at each location- two of which reside on the
> other end of the VPN. Blocking/ allowing local access is easy enough,
> however blocking access but allowing local and remote access to only
> certain IP's is proving difficult. The Alias feature as far as I can
> tell will allow either single host or networks, but not multiple
> single hosts.
>
> Example:
>
> Site A: 192.168.0.0/24
> Site B: 192.168.6.0/24
>
> Site B needs Gui access from the single local address 192.168.6.x and
> from *two* remote addresses on the A side of the tunnel, but needs to
> block any and all other addresses from accessing the Web GUI on either
> side of the tunnel.
>
> Any ideas?
>


Hi Mike...

There is an option "webGUI anti-lockout" on the System --> Advanced page
to help save you in case of installing rules that accidentally block
access to the web gui. You will need to disable this feature, but only
after you create the rule or two specifically allowing access from the
LOCAL IP's that require it.

In other words, on m0n0 B, allow HTTPS access to the 192.168.6.x single
IPs, and on m0n0 A, allow access to the 192.168.0.x single IPs.

But here is the part that is trapping you:

m0n0wall's rules act on packets ENTERING an interface.

As far as Site B's m0n0wall is considered, packets coming from Site A
through the IPSEC tunnel have already been inspected and allowed. (a
simplistic way to describe it).

Any Site A traffic that you do NOT want on site B's network must be
stopped by Site A's m0n0wall.

So, if you want to allow one or more hosts from site B to access the Web
GUI on Site A's m0n0wall, you need to set rules on Site B's m0n0wall to
allow these packets to the Site A m0n0wall IP and right after that rule
you need a rule on Site B's m0n0wall to block access to the Site A
(192.168.6.0/24) network. Remember rule order counts.

The reverse is true on the Site A m0n0wall.

Also, the FIRST thing I do when configuring a m0n0wall firewall is to
DELETE the default "allow from any to Any" rule on the LAN interface,
and THEN I start allowing what is required.

Hope this helps.

--
Bill Arlofski
Reverse Polarity, LLC
* Stop the NSA from illegally eavesdropping on your personal email *
Learn about PGP and start encrypting your email today
http://gnupg.org or http://www.pgp.com