Prevent LAN computers from being directed to WAN public IP address, DEFCON-18
-
The root of my question is from this DEFCON-18 video: https://www.youtube.com/watch?v=r13ESXEfQVE
I would like to prevent computers on my LAN network from resolving to my public WAN address (i.e. I want my local computers to NOT be able to access pfsense admin page from a non-local IP address). The video above is several years old and this type of attack may already be prevented by some other portion of the pfsense software. However, this morning, from a local LAN computer, I was able to access the pfsense admin console using my public WAN address, so the door -seems- to still be open.
I'm looking for an easy way to identify my current WAN public IP address; something similar to "This Firewall(self)" but only the current public WAN address.
Thanks!
-
I think I may have just figured out why this rule may not really be necessary. Since access to pfsense admin console is only through https, being routed back to pfsense's public WAN address during a rebinding attack would not allow access to the box.
Correct?
-
Access to the web interface is allowed by default on the LAN but not the WAN.
To lockout access from anyone else besides designated IPs see this document…
https://doc.pfsense.org/index.php/Restrict_access_to_management_interface