No WAN access from inside LANs...
-
success ! Where can I send you a beer ? ..or two ?
wondering though, while having specified the TCP/UDP traffic as I have it above, should I have not had internet access ? like Google ?
-
@njaimo yeah those would allow access to the internet for tcp/udp, but not if you had your static arp issue, etc. And your blocking access to lan and iot - what are you pointing to for dns on this dmz.. If it was say your lan IP then no you wouldn't of been able to use dns. Which kind of needed to get to say www.google.com ;)
Or if you if you had messed with your outbound nat rules, and taken them off auto without correctly setting nat, etc.
-
learned something new, Thank You !! Thank you All !
-
@njaimo so you're all sorted? If you are unclear on what some feature does, some advice ;) Ask before clicking it - hahah
-
@johnpoz ...got it ! :) Thanks.
BTW -- one more stupid question while I am in the hole for now... ?
Logging into the pfSense GUI via https, if I screw up my password just once, I get locked out for a time... I have looked where I can maybe change this, but have not been able to find it, which is why I had created yet another user with a different password, but it did not help, once I got locked out, I could not even try an alternate user... What am I screwing up on ?
-
@njaimo hmmm - I have never ran into such a thing.. But then again I don't have that enabled.. Nobody can get to my gui but my machine anyway ;)
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html#login-protection
Is that something else you clicked on? ;) I don't recall if that is enabled by default - I wouldn't think so?? But long time since I have used default configs, since when I update even when clean I normally load my last config, etc.
edit: hmm looks like it is enabled by default - did you alter the default settings?
edit2: I just added my PC IP to bypass list, just in case ;) As you say we learn something new everyday - heheh
edit3: And I use a password manager to enter the password, which is quite long and complex that would be just a PITA to enter by hand.. So I can not recall the last time I would of entered the password wrong ;)
-
@johnpoz ...since this is my home, I do not have had need to use ssh from outside, and figured it woudl be easiest to access the GUI via https and a web browser in the net. ...ANd I had a bad case of "click-itis"... LOL
I see there is a max of "10" down in "login protection" on the same page, but I get locked out after the first try, and it takes about 30 minutes to let me try again... I do not recall editing any default settings on this...
-
@njaimo not sure what ssh has to do with anything? Did you open the webgui to the internet?
Did you look in your log for login attempts? What does it say your level of attack was?
-
Your IP will get blocked by sshguard for a few minutes if you try to login and fail three times. If you then fail again it will block you for longer.
You can just add your IP to the whitelist to prevent sshguard triggering against it.sshguard monitors all login attempts not just ssh, confusingly!
Steve
-
Thank you for the replies ! ...sorry for the delay, had to be away from home this morning.
I get blocked after just one failed login (seems its been like that for years) but I do can log in from the other net, which I had not tried before, thank you for that tip. Here is the log, seems the failed logging is considered a level-10
-
this is what I enter to access while on Firefox browser
https://192.168.1.1/index.php -
@njaimo but I believe it defaults to 30.. Did you adjust that down to 10.. You should be able to put in a couple of typos before it blocks you with it at 30.
Key word being "cumulative" if you adjusted it down to 10, and changed the setting to 3600 seconds vs the default of 120, then yeah one typo is going to make you wait an hour.
I think your victim of your own
ANd I had a bad case of "click-itis"... LOL
-
@johnpoz
ha-ha ..not again ! :) Well I figured I could type the correct password in way less attempt than 10, and the time I set to make any unauthorized person trying to login wait quite a while....I assume these settings would also apply to anyone trying to log in via SSH from the outside ?
I'll change back to "30", I really only need 2 attempts, as I realize when I typed the wrong password... Maybe need to start using a pw-manager...
MANY Thanks again for all the help !!!!!
-
@njaimo ...I get it I misunderstood the "score" bit, it is not login attempts... :)
Cheers
