[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] New/fixed dynamic address IPsec images
 Date:  Tue, 2 Sep 2003 07:23:13 +0200 (CEST)
On Mon, 1 Sep 2003, Christopher M. Iarocci wrote:

> On a side note, is the web interface filter hard coded into the m0n0wall to
> only let in traffic from the local network?  I was trying to let someone
> access from one of my VPN networks, and it was blocked.  I put in a rule to
> allow on the LAN interface 192.168.0.0/16 port 80 to 192.168.2.1 (IP of my
> LAN interface) port 80, but it still gets blocked.  I know you can't get to
> it from the WAN interface, but I thought I would be able to get to it
> through the VPN tunnel.

Not really - unlike PPTP sessions, IPsec tunnels don't each have a virtual
tunnel interface - the packets just come in via WAN and get
processed/decrypted as per the SPD/SAD entries. But they always have WAN
as their source interface. You could try adding such a rule for the WAN
instead of the LAN interface; that might work (though I just got up and
it's still early in the morning, so I'm not totally sure about that ;).

But as I mentioned several times - we'll probably see HTTPS being used for
the webGUI sometime (hopefully soon), and then I see no point in
restricting management to the LAN interface anymore (but of course there
will be the option for extra-paranoid people :).

- Manuel