News: This forum is now permanently frozen.
Pages: [1]
Topic: Can I access the webGUI from the WAN?  (Read 4322 times)
« on: October 10, 2007, 13:42:07 »
JackTripper *
Posts: 16

i want to access the webGUI of my dynamic-ip monwall box from the internet, who's webGUI port is 8000.

i added a firewall rule:

   Interface: WAN
   Protocol: TCP
   Source Type: any
   Source port range (from): (other) 8000
   Destination Type: Single host or alias
   Destination Address: 192.168.1.1  (default LAN address of monowall)
   Destination port range (from): 8000
   Description: monowall webGUI

After saving and applying, it does not work.

i see in the firewall logs the packets being blocked by the default rule:
   If: WAN
   Source: 216.8.139.6, port 1800
   Destination: 64.233.167.147, port 8000 TCP

i then tried changing the firewall rule's destination to:
   Destination Type: any
   Destination port range (from): 8000

And traffic is still blocked by the default rule.


So this leads to my apparent confusion about what firewall rules are. A packet arrives at the WAN port, that is destined for "64.233.167.147:8000" The firewall is set to allow any packets from the WAN destined for port 80.  What happens to the packet then? 

The firewall allows it, so i assume that the packet should continue through the firewall, and then hit the actual adapter with the ip "64.233.167.147", where there is a http server listening on port 8080. Firwall rules don't rewrite packets, then just allow or deny based on an inspection of the packet's source/dest ip/port.


At which point i then solved my own problem.

The firewall rule was incorrectly configured:
Incorrect
   Source: any
   Source port: 8000
   Destionation: any
   Destination port: 8000

The problem is, of course, is that nobody's http request to my webGUI server will be coming from port 8000. The firewall doesn't rewrite packets, it only checks packets to see if they match a rule. And since the web request from the client machine didn't come from port 8000 (in addition to having to be destined to port 8000, it failed to match any firewall rule and so was blocked.

Correct
   Source: any
   Source port: any
   Destionation: any
   Destination port: 8000

And now the full listing for anyone trying to setup remote administration they way it would exist in any store-bought router where you've changed the webGUI port from the default 80 to 8000:

   Interface: WAN
   Protocol: TCP
   Source Type: any
   Source port range (from): any
   Destination Type: Single host or alias
   Destination Address: any
   Destination port range (from): 8000
   Description: monowall webGUI


Note
- i'm aware of the security implications in these settings
« Last Edit: October 10, 2007, 14:04:40 by JackTripper »
« Reply #1 on: October 10, 2007, 13:45:43 »
bitonw **
Posts: 79

where is your nat rule?
« Reply #2 on: October 10, 2007, 14:05:45 »
JackTripper *
Posts: 16

where is your nat rule?

i updated my post detailing what i did wrong and now it works.

But it works without a NAT rule. How can this be?
« Reply #3 on: October 11, 2007, 10:34:34 »
markb ****
Posts: 331

NAT not needed, you are connecting to the external interface, not routing it into your network. bitonw hadn't spotted the "Source Port" in the first draft of your post.
« Reply #4 on: October 11, 2007, 13:56:47 »
bitonw **
Posts: 79

please use httpS to make it a bit more secure  Wink

just configure the 443 -> 8000 (and put the http back to 80 since you don't use that when you change to https)
« Reply #5 on: October 11, 2007, 20:39:54 »
JackTripper *
Posts: 16

please use httpS to make it a bit more secure  Wink

just configure the 443 -> 8000 (and put the http back to 80 since you don't use that when you change to https)

And i just turned off https, just now this minute. i didn't like being harassed about monowall's untrusted certificate Smiley

And how secure items are not cached. Sad
« Reply #6 on: December 05, 2007, 14:07:02 »
marcgpx *
Posts: 4

I have tryed this settings and it works!
Thanks JackTripper
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines