Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to prevent access to management interface from WLAN and DMZ?

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 4 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      Sorry.  You have to set the protocol to TCP.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • I
        Ip Man
        last edited by

        @Derelict:

        No. In the port.  Select other and you can type an alias in the box to the right.

        Wait! "Destination port range" appeared when I selected TCP under Protocol. Is TCP correct?

        1 Reply Last reply Reply Quote 0
        • I
          Ip Man
          last edited by

          @Derelict:

          Sorry.  You have to set the protocol to TCP.

          Ok, I found out by myself  :)

          1 Reply Last reply Reply Quote 0
          • I
            Ip Man
            last edited by

            It looks like it is working. I did the same on the WLAN interface. I can ping 192.168.2.1 from WLAN but I can't access the management interface. Is this enough to prevent access? Can other ports than I specified in "admin ports" (80, 443, 22) be used to access the management interface?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              No.  It listens on tcp/443 unless you change it.

              It also redirects from http://:80 to https://:443 unless you disable it.

              SSH listens on 22 if you enable it and don't change the port.

              If you're concerned about more than the management interface, then forget about blocking to the admin_ports and, instead, pass what you want (like ICMP and DNS) and block everything else.

              Like:

              pass TCP/UDP source DMZ net dest admin_addresses port 53 #Allow DNS
              pass ICMP source DMZ net dest admin_addresses  # Allow pings to DMZ address
              pass ICMP source DMZ net dest WAN Address # Allow pings to WAN address
              block any source DMZ net dest admin_addresses any #Block everything else to DMZ address
              block any source DMZ net dest WAN address any # Block everything else to WAN address
              pass any any any any #Pass everything else.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • I
                Ip Man
                last edited by

                @Derelict:

                No.  It listens on tcp/443 unless you change it.

                It also redirects from http://:80 to https://:443 unless you disable it.

                SSH listens on 22 if you enable it and don't change the port.

                If you're concerned about more than the management interface, then forget about blocking to the admin_ports and, instead, pass what you want (like ICMP and DNS) and block everything else.

                Like:

                pass TCP/UDP source DMZ net dest admin_addresses port 53 #Allow DNS
                pass ICMP source DMZ net dest admin_addresses  # Allow pings to DMZ address
                pass ICMP source DMZ net dest WAN Address # Allow pings to WAN address
                block any source DMZ net dest admin_addresses any #Block everything else to DMZ address
                block any source DMZ net dest WAN address any # Block everything else to WAN address
                pass any any any any #Pass everything else.

                Thanks for helping me! I use the block rules you mentioned before to isolate WLAN and DMZ the only weakness I'm aware off was the exposed management interfaces. What about IPv6? Do I have to make separate block rules for that as well?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Yes.  Here are the caveats for creating single rules for both IPv4+IPv6

                  You can not assign a gateway to a rule that applies to IPv4 and IPv6
                      You can not assign a protocol other then ICMP, TCP, UDP or TCP/UDP to a rule that applies to IPv4 and IPv6

                  That protocol caveat means no "any".

                  Looks like you might be able to change some of them to cover both stacks.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • I
                    Ip Man
                    last edited by

                    @Derelict:

                    Don't forget your WAN address(es)
                    block source DMZ net dest WAN address ports admin_ports

                    For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Yes.  It's easily overlooked.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        @Ip:

                        @Derelict:

                        Don't forget your WAN address(es)
                        block source DMZ net dest WAN address ports admin_ports

                        For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?

                        @Derelict:

                        Yes.  It's easily overlooked.

                        On 2.2 this is easier as you can have a rule that has "(self)" as a target which is an internal pf Macro that means "any IP address on the firewall"

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • I
                          Ip Man
                          last edited by

                          @jimp:

                          @Ip:

                          @Derelict:

                          Don't forget your WAN address(es)
                          block source DMZ net dest WAN address ports admin_ports

                          For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?

                          @Derelict:

                          Yes.  It's easily overlooked.

                          On 2.2 this is easier as you can have a rule that has "(self)" as a target which is an internal pf Macro that means "any IP address on the firewall"

                          Good to know. I'm looking forward to 2.2 and the new book :)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.