Block acces from outside to management page

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer Block acces from outside to management page

This topic contains 6 replies, has 0 voices, and was last updated by  Masenko 6 years, 2 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #43555

    Masenko
    Member

    Hello all,

    Our old firewall (appliance) cant handle the traffic any more and we are trying to get a pc running with zeroshell firewall.

    We have it running and we can internet over it.. BUT we want to block access to the webmanagement interface page.. from outside..

    Question to you all is:

    Is this possible.. and if so could someone post a rule on how to accomplish this.

    Thanks in advance.

    #52631

    JC
    Member

    under Setup -> https -> add a rule for a local ip, or subnet, select its interface “ETH00 ETH01 etc” click the + then remove the default rule to allow ANY save and you are done.

    #52632

    mountainman
    Participant

    I’m unclear on thie too.

    ETH00 (192.168.0.75) is my WAN interface, ETH01 (192168.1.1) and ETH02 (192168.2.1) are the LAN side. I currently have the ETH00 of the ZS box connected to an upstream wifi router on the 192.168.0.xxx subnet, and another wifi AP connected to ETH01. This is for testing; ultimately ETH00 will be connected directly to a satellite modem at another location.

    I created 3 firewall rules:

    1 	ETH01 	* 	ACCEPT all opt -- in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 	no
    2 ETH02 * ACCEPT all opt -- in ETH02 out * 0.0.0.0/0 -> 0.0.0.0/0 no
    3 * * ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED

    Then, I set the INPUT chain to “DROP” (OUTPUT and FORWARD are still “ACCEPT”). As I understand it, this should block any unsolicited connection from the ETH00 interface. I should be able to connect to the ZS admin via ETH01 and I can, but if I connect to the upstream router, it should block access… but it doesn’t.

    What am I doing wrong?

    #52633

    Shadok
    Member

    Sorry to bump this topic but as I’m having the same issue, i’d like some help.
    I want to block external access to the web interface standard port (tcp 80 and 443).

    I have 2 wan interfaces, eth01 (192.168.10.250) and eth02 (192.168.11.250).
    When I add an input chain to block tcp port 443 on incoming eth01 interface it doesn’t block anything.

    Any idea ?

    #52634

    redfive
    Participant

    Take a look above at JC’s post..
    greetings

    #52635

    Shadok
    Member

    It doesn’t fit my need.
    I want to specifically block tcp 80 and 443 connections on my wan interfaces.

    #52636

    redfive
    Participant

    Hi Shadok , the management rules are “hidden” and “above” (in the input chain) others rules that you can add or remove via gui ( but you can see all rules through the view button , in firewall page).
    Is possible to manage them via System>>Setup>>Https( ssh if required). Assuming ETH00 is your internal network , add ETH00 (and possibly the IP address from which the management is allowed) in “System>>Setup>>Https>>Allow access only from” , save, reboot the system (even if I never needed to reboot ….) and then try to access the web interface from wan…I have a setup similar to yours ,( two load balanced wan) and the management rules work perfectly
    greetings

    #52637

    Shadok
    Member

    Thanks but no (again).
    Let me explain it more clearly.

    I want to be able to access to zeroshell from my lan on ports 80 and 443.
    But i want to be able to access it from outside, from whatever ip address i would be using, but on ports 980 and 943.

    I add previously an adsl box which allowed me to do that with NAT.
    Now, it’s only a gateway, so i can’t do that anymore.

    I still have nat on zeroshell to redirect incoming 980 and 943 tcp ports to its web interface (80 and 443).

    So i need to block 80 and 443 incoming ports from outside.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.