[ previous ] [ next ] [ threads ]
 From:  David Cook <david dot cook at jetpress dot com>
 To:  "'CARL dot P dot HIRSCH at sargentlundy dot com'" <CARL dot P dot HIRSCH at sargentlundy dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Blocking WebGUI on LAN interface (editing default firewall rule)
 Date:  Tue, 21 Sep 2004 07:59:10 +0100
Hi Carl,

I am not aware that the default rule on the LAN interface is any different
to user configured rules. From my experimentation on v1.1 it is fully
editable like any other rule. If it doesn't do what you require you can
simply edit or delete it.

One way to solve your problem would be to leave the rule in place and create
a couple of rules above it to explicitly block HTTPS TCP connections from
your LAN subnet to both the LAN and the WAN interface IPs. 'LAN subnet ->
Any' literally means just that including your WAN interface IP.

>-----Original Message-----
>From: CARL dot P dot HIRSCH at sargentlundy dot com
>[mailto:CARL dot P dot HIRSCH at sargentlundy dot com]
>Sent: 20 September 2004 21:56
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] Blocking WebGUI on LAN interface (editing default
>firewall rule)
>I'm in the process of setting up a m0n0wall box to act as a 
>captive portal
>on an untrusted wireless LAN. That being the case, my LAN and WAN
>interfaces are sort of reversed from a typical install. My LAN 
>interface is
>untrusted... the WAN interface is more trusted than the LAN 
>interface and
>I'd like to prevent untrusted LAN users from accessing the 
>WebGUI or SSH.
>I spent some time searching the list archives and saw that there's an
>implicit allow rule in the configuration that allows traffic to the LAN
>gateway interface from the LAN segment. It looks like this 
>rule can not be
>edited via the GUI to prevent the user from accidentally shutting
>themselves off from being able to manage the m0n0wall. I have 
>HTTPS working
>inbound from the WAN interface, so I'm comfortable disabling 
>traffic to the
>LAN gateway from the LAN segment.
>Is there a text file on the system where I can comment out 
>this implicit
>allow, or is there some other way of disabling traffic to the LAN
>Thanks for all the work on m0n0wall - it's a great system.
>-carl hirsch
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Nunn Close
NG17 2HW

Web:	www.jetpress.com
Tel:	+44-1623-551 800
Fax: 	+44-1623-551 175

Confidentiality Notice 
This message and its contents are confidential.  The contents are solely for the attention of the
recipient(s) named above and any unauthorised disclosure, copying or distribution is forbidden.  If
you are not the recipient named above, please contact the sender immediately and destroy this
message.  The views expressed in this message are those of the sender and not necessarily those of