Blocking WebGUI on LAN interface (editing default firewall rule)

From:	CARL dot P dot HIRSCH at sargentlundy dot com
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Blocking WebGUI on LAN interface (editing default firewall rule)
Date:	Mon, 20 Sep 2004 15:55:39 -0500

I'm in the process of setting up a m0n0wall box to act as a captive portal
on an untrusted wireless LAN. That being the case, my LAN and WAN
interfaces are sort of reversed from a typical install. My LAN interface is
untrusted... the WAN interface is more trusted than the LAN interface and
I'd like to prevent untrusted LAN users from accessing the WebGUI or SSH.

I spent some time searching the list archives and saw that there's an
implicit allow rule in the configuration that allows traffic to the LAN
gateway interface from the LAN segment. It looks like this rule can not be
edited via the GUI to prevent the user from accidentally shutting
themselves off from being able to manage the m0n0wall. I have HTTPS working
inbound from the WAN interface, so I'm comfortable disabling traffic to the
LAN gateway from the LAN segment.

Is there a text file on the system where I can comment out this implicit
allow, or is there some other way of disabling traffic to the LAN
interface?

Thanks for all the work on m0n0wall - it's a great system.

-carl hirsch