Re: [m0n0wall] Blocking WebGUI on LAN interface (editing default firewall rule)

From:	Vincent Fleuranceau <vincent at bikost dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Blocking WebGUI on LAN interface (editing default firewall rule)
Date:	Wed, 22 Sep 2004 09:06:29 +0200

-------- Original Message --------

> You can't put anything above that rule on the LAN that's put in by
> the back end.
> 
> My last post on it was here, and I have yet to get a response:
> 
> http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=88&actionargs[]=18
> 
> 

Hi all,

The definitive answer is: IT'S NOT POSSIBLE because a hard coded rule 
(with the "quick" option set) prevents it. All user-generated rules are 
simply **ignored** (because of the "quick" option).

See below what the source reads:

# make sure the user cannot lock himself out of the webGUI
pass in quick from $lansa/$lansn to $lanip keep state group 100

This line comes *before* any user defined rule.

Please download the source and read the entire /etc/inc.filter.inc file!

This is not a bug but a design choice. I think Manuel does not want to 
have 50 people every week asking for assistance because they have locked 
themselves out of m0n0wall.

If someone really need this as a feature, he/she will have to modify 
filter.inc and rebuild the image. The WebGUI won't help at all.

Please let me know if I'm wrong.

-- Vincent