[ previous ] [ next ] [ threads ]
 
 From:  Mike <lists at southwestech dot com>
 To:  waa dash m0n0wall at revpol dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Block hosts from Webgui
 Date:  Thu, 09 Aug 2007 17:25:14 -0600
mtnbkr wrote:

> 
> Hi Mike...
> 
> There is an option "webGUI anti-lockout" on the System --> Advanced page
> to help save you in case of installing rules that accidentally block
> access to the web gui. You will need to disable this feature, but only
> after you create the rule or two specifically allowing access from the
> LOCAL IP's that require it.
> 
> In other words, on m0n0 B, allow HTTPS access to the 192.168.6.x single
> IPs, and on m0n0 A, allow access to the 192.168.0.x single IPs.
> 
> But here is the part that is trapping you:
> 
> m0n0wall's rules act on packets ENTERING an interface.
> 
> As far as Site B's m0n0wall is considered, packets coming from Site A
> through the IPSEC tunnel have already been inspected and allowed. (a
> simplistic way to describe it).
> 
> Any Site A traffic that you do NOT want on site B's network must be
> stopped by Site A's m0n0wall.
> 
> So, if you want to allow one or more hosts from site B to access the Web
> GUI on Site A's m0n0wall, you need to set rules on Site B's m0n0wall to
> allow these packets to the Site A m0n0wall IP and right after that rule
> you need a rule on Site B's m0n0wall to block access to the Site A
> (192.168.6.0/24) network. Remember rule order counts.
> 
> The reverse is true on the Site A m0n0wall.
> 
> Also, the FIRST thing I do when configuring a m0n0wall firewall is to
> DELETE the default "allow from any to Any" rule on the LAN interface,
> and THEN I start allowing what is required.
> 
> Hope this helps.
> 
> --
> Bill Arlofski
> Reverse Polarity, LLC
> * Stop the NSA from illegally eavesdropping on your personal email *
> Learn about PGP and start encrypting your email today
> http://gnupg.org or http://www.pgp.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

Thanks Bill, that helped immensely. My major hang up was that I was 
trying to create rules on a local basis (Site A's rules applied to Site 
A & B, etc.) and it was not working. Thanks for your help. On a side 
note, the default allow all rule was the first thing to be changed.