Disabling pfSense web ui on WAN (entered from LAN) and other VLANS

mysongranhills

The only ports open on my WAN are for services I'm using (SSH/FTP/HTTP/Torrents, etc).

I'm thinking you didn't quite understand what i was trying to say.

If I browse to http://My-Public-IP from outside my home I do not get access to pfSense web ui. It only happens when browsing to public ip from with in the LAN.

hda

You could use an explicit rule allowing:

IPv4 TCP from LAN net * to LAN address ports 80, 443

johnpoz

So block those vlans from accessing firewall IPs on the management ports, 22, 80, 443, etc.

What do the rules look like on your vlans you don't want to access your web gui from?

So for example my guest wlan is locked down to only be able to ping the firewall on the interface in that vlan.  And it can not access any other vlans either with the allow that says ! (not) my other local networks. in that alias.

doktornotor

As already noted above, you should block access to "This Firewall" management ports.

Derelict

Pass traffic on This firewall (self) that you want people to be able to access (like DNS) then reject any to This firewall (self).

EMWEE

@mysongranhills:

The only ports open on my WAN are for services I'm using (SSH/FTP/HTTP/Torrents, etc).

I'm thinking you didn't quite understand what i was trying to say.

No i do understand….you dont understand.

mysongranhills

Maybe I'm truly misunderstanding something obvious and if so I apologize profusely. But all the methods above seem to me to address blocking access to the web-ui in-of-itself, which is perfect for restricting certain VLANS. But on some VLANS I ONLY want to block access to the web-UI from the LAN when http://75.76.xxx.xxx is entered. If http://192.168.1.1 (or w/e internal IP) is entered I WANT to be able to access the web-ui.

Here is the link to the videohttps://www.youtube.com/watch?v=0duYxPIx8gU describing dns rebinding attacks and that a router is vulnerable (at least according to the video) if the web-ui can be accessed by typing public ip into browser from LAN.

Derelict

But on some VLANS I ONLY want to block access to the web-UI from the LAN when http://75.76.xxx.xxx is entered. If http://192.168.1.1 (or w/e internal IP) is entered I WANT to be able to access the web-ui.

So on those VLANs block just that destination instead of This firewall.

I, personally, don't see why it would matter - the webgui is the webgui - but knock yourself out.

johnpoz

You do understand unless you have opened up the wan rules that the webgui is not available from the actual wan.  If your going to allow vlan X to access it via the vlan X ip address of pfsense - WTF does it matter if they can also access it via the wan IP from the lan side??

mysongranhills

Honestly I don't know why there would be a difference either but im not a security researcher presenting at blackhat and the claim he made was that if the WAN IP can be used to access the web-ui from lan that  you are vulnerable to DNS rebinding attacks. I was taking him at his word. Do you think this information is wrong?