Redirect Error
-
To remotely access our firewalls we set up a rule that state:
From: Office Alias
To: Remote WAN IP
On: A defined off port
Redirects: To LAN IP on port 443
We do this as it protects the remote network from external logins and allows port 443 to be redirected and used for other services if needed.One of the System Patches (haven't looked, don't know which one) now flags a redirect or referral error and tells us that we need to go to System->Advanced->Admin Access and check the box to disable Browser HTTP_REFERER enforcement. I just applied the patches remotely a firewall and it gave me that error. We can still get to it on port 80 and once I did, now I can get in on the off port without an error. I didn't have to make any changes. I'm fairly certain the way we do it is secure but I don't want to open up these units for convenience so I'd rather not disable that feature if possible.
Can anyone suggest to me the safest way to move forward on this?
Edit: I just installed the System Patches Package on another unit and installed the patches 1 by 1. The error didn't show up. I've had it appear on 2 other units so far so I'm a bit confused.
-
What pfSense version?
I'm not aware of any patch that should affect that though.
Had you disabled the check before applying the patches? Or added any additional hostnames? Are you accessing it by the WAN IP directly?Steve
-
@stephenw10
It's 2.7.2. Disabling that does fix the issue. We have dozens of units that we've been using for probably 10 years now and it has only started recently. I don't know what triggered it the first time. The second time it was immediately after installing the System Patches package and applying all patches. -
And are you accessing it by IP directly or by hostname? If it's hostame what does that resolve to and does that firewall actually have that hostname?
It sounds like it may be correctly triggering, in which case the question becomes why wasn't it before?
-
@Stewart I think you should access the firewall on the WAN-interface and not do a redirect to the LAN-interface?
But then, I always need to Disable HTTP_REFERER enforcement check if I am accessing the firewall on an IP-Address not known to the firewall itself. Maybe @stephenw10 can elaborate on this.
-
Well, yes, I expect to have to disable it in many of those situations which is why it's curious it was working before.
-
@stephenw10 Interestingly, if I make the unknown IP-address an IP Alias VIP on WAN, I don't need to disable this.
In the DHCP Client Configuration on WAN there is a field called "Alias IPv4 address" but that doesn't do it.
-
Yes, if the IP address exists on the firewall it should allow it. So that includes virtual IPs.
