« previous next »
Pages: [1]

Author Topic: ebox administration page  (Read 1852 times)

scooke

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
ebox administration page
« on: August 29, 2008, 06:43:42 pm »
Hey,

I installed and configured ebox for openvpn and it is up and running. The problem now is that I can't reach the ebox administration page, unless I connect with a xp client to openvpn. The webpage is than reachable again.
When I turn off the firewall /etc/init.d/ebox firewall stop, the page is also reachable even when I'm not connected to openvpn.


My interface setup:

Name: eth0   
Method: static    
External:yes
   
IP address:192.168.1.33
   
Netmask:255.255.0.0
   
   
Virtual interfaces
Name    IP address    Netmask    Action
         
intern    192.168.1.34    255.255.0.0    
Logged

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: ebox administration page
« Reply #1 on: September 01, 2008, 04:19:40 pm »
Hi,

The access to the administration port is not allowed by default through external interfaces.

If you want to allow it go to: Firewall->Packet filter->Filtering rules from external networks to eBox

And add a rule to allow the "eBox administration" service. Save changes and you are done :)
Logged

scooke

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: ebox administration page
« Reply #2 on: September 02, 2008, 10:44:34 am »
With my setup, the external interface is allowed to login on the ebox webinterface... Normally it should be allowed for the internal interface?
If I make connection, then I can login, thus it is at that moment already possible to login via the external interface.
When I disconnect, it can't login on the webinterface. What's wrong with my setup?

tnx
Logged

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: ebox administration page
« Reply #3 on: September 02, 2008, 11:35:01 am »
Note that the typical installation where eBox is acting as a gateway needs two physical interfaces, one external and one internal. That's the way that eBox has to know that all incoming traffic through a external interface can be potentially evil. If you go with just one physical interface, but you must configure your firewall according to that.

Quote
If I make connection, then I can login, thus it is at that moment already possible to login via the external interface.
When I disconnect, it can't login on the webinterface. What's wrong with my setup?

That's the way the iptables conntrack module works, when a connections has been established is always accepted no matter if you add a new rule to deny it. New connections will be dropped though. This is something that we will change in the future using conntrack tools which allow us to "remove" all the established connections once the firewall has been restarted.




Logged
Pages: [1]
« previous next »