Access to Pfsense Portal
-
Hi,
I have pfsene 2.3.2-Relase-p1 installed. Port igb0 - WAN, port igb1 - LAN (2 VLAN is created on igb1 - vlan20 and vlan30)
Why is that from the VLAN 20 I can still browse the firewall portal on 192.168.30.1 and via versa from VLan30 I can browse the firewall portal 192.168.20.1?.What else do I not done right here? What I want to do is to block access to the firewall portal for users on VLan 20 and 30. Thank you.
-
Firewall rules for LAN is DEFAULT.
-
Firewall rule for VLAN20 (ipv4 - 192.168.20.1)
IPv4 protocol - TCP, source - any, port - any, destination - VLan20 address, port - any, gateway *
IPv4 protocol - any, source - vlan20 net, port - any, destination - any, port - any, gateway *
3) Firewall rule for VLAN30 (192.168.30.1)
IPv4 protocol - TCP, source - any, port - any, destination - VLan30 address, port - any, gateway *
IPv4 protocol - any, source - vlan30 net, port - any, destination - any, port - any, gateway * -
-
Why is that from the VLAN 20 I can still browse the firewall portal on 192.168.30.1 and via versa from VLan30 I can browse the firewall portal 192.168.20.1?.
You allow this access in you firewall rule with source = any.
- Firewall rule for VLAN20 (ipv4 - 192.168.20.1)
IPv4 protocol - TCP, source - any, port - any, destination - VLan20 address, port - any, gateway *
3) Firewall rule for VLAN30 (192.168.30.1)
IPv4 protocol - TCP, source - any, port - any, destination - VLan30 address, port - any, gateway *You my also be able to access the pfSense GUI from WAN interface this way.
Restrict the source to the appropriate subnet. - Firewall rule for VLAN20 (ipv4 - 192.168.20.1)
-
When the rules says that source - any to the destination address is block/reject. Should that mean that from any where regardless to that particular address be block/reject??
-
So are these block rules?
-
So are these block rules?
Yes, The first rule of each of the VLAN is a block rule to the destination vlan address.
-
Okay, but if you want to block access to the Web GUI from an interface you have to block all interface IPs.
-
Okay, but if you want to block access to the Web GUI from an interface you have to block all interface IPs.
May I know what rules do I need to create? Thank you.
-
Post up you rules.. And we can go over what your doing wrong and or what you need to add/create.
Rules are evaluated top down as the traffic enters that interface, first rule to trigger wins. No other rules are looked at.
If you don't want vlan X to go to vlan Y then on vlan X block traffic to vlan Y..
-
Here are my rules
pfctl -sr
scrub on igb0 all fragment reassemble
scrub on igb1 all fragment reassemble
scrub on igb2 all fragment reassemble
scrub on igb1_vlan20 all fragment reassemble
scrub on igb1_vlan30 all fragment reassemble
scrub on igb1_vlan40 all fragment reassemble
scrub on igb1_vlan50 all fragment reassemble
anchor "relayd/" all
anchor "openvpn/" all
anchor "ipsec/" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c>to any label "Block snort2c hosts"
block drop log quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto carp from (self) to any
pass quick proto carp all no state
block drop in log quick proto tcp from <sshlockout>to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to (self) port = http label "webConfiguratorlockout"
block drop in log quick from <virusprot>to any label "virusprot overload table"
pass in quick on igb0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass in quick on igb0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass out quick on igb0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
block drop in log on ! igb0 inet from 192.168.8.0/24 to any
block drop in log inet from 192.168.8.21 to any
block drop in log inet from 192.168.8.22 to any
block drop in log on igb0 inet6 from fe80::290:bff:fe3a:42f2 to any
block drop in log on ! igb1 inet from 192.168.10.0/24 to any
block drop in log inet from 192.168.10.1 to any
block drop in log on igb1 inet6 from fe80::290:bff:fe3a:42f3 to any
pass in quick on igb1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on igb1 inet proto udp from any port = bootpc to 192.168.10.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on igb1 inet proto udp from 192.168.10.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass quick on igb1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on igb1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on igb1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on igb1_vlan20 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on igb1_vlan20 inet proto udp from any port = bootpc to 192.168.20.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on igb1_vlan20 inet proto udp from 192.168.20.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! igb1_vlan30 inet from 192.168.30.0/24 to any
block drop in log inet from 192.168.30.1 to any
block drop in log on igb1_vlan30 inet6 from fe80::290:bff:fe3a:42f3 to any
pass in quick on igb1_vlan30 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on igb1_vlan30 inet proto udp from any port = bootpc to 192.168.30.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on igb1_vlan30 inet proto udp from 192.168.30.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! igb1_vlan40 inet from 192.168.40.0/24 to any
block drop in log inet from 192.168.40.1 to any
block drop in log on igb1_vlan40 inet6 from fe80::290:bff:fe3a:42f3 to any
pass in quick on igb1_vlan40 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on igb1_vlan40 inet proto udp from any port = bootpc to 192.168.40.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on igb1_vlan40 inet proto udp from 192.168.40.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! igb1_vlan50 inet from 192.168.50.0/24 to any
block drop in log inet from 192.168.50.1 to any
block drop in log on igb1_vlan50 inet6 from fe80::290:bff:fe3a:42f3 to any
pass in quick on igb1_vlan50 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on igb1_vlan50 inet proto udp from any port = bootpc to 192.168.50.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on igb1_vlan50 inet proto udp from 192.168.50.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (igb0 192.168.8.1) inet from 192.168.8.21 to ! 192.168.8.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (igb0 192.168.8.1) inet from 192.168.8.22 to ! 192.168.8.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on igb1 proto tcp from any to (igb1) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on igb1 proto tcp from any to (igb1) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in quick on igb0 reply-to (igb0 192.168.8.1) inet proto icmp from any to 192.168.8.0/24 keep state label "USER_RULE: Ping"
pass in quick on igb0 reply-to (igb0 192.168.8.1) inet proto tcp from any to 192.168.8.21 port = http flags S/SA keep state label "USER_RULE: HTTP Portal Access"
pass in quick on igb0 reply-to (igb0 192.168.8.1) inet proto tcp from any to 192.168.8.21 port = ssh flags S/SA keep state label "USER_RULE"
pass in quick on igb0 reply-to (igb0 192.168.8.1) inet proto tcp from any to 192.168.20.24 port = 8080 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on igb0 reply-to (igb0 192.168.8.1) inet proto tcp from any to 192.168.20.24 port = 8443 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on igb0 reply-to (igb0 192.168.8.1) inet proto tcp from any to 192.168.20.24 port = ssh flags S/SA keep state label "USER_RULE: NAT "
pass in quick on igb0 reply-to (igb0 192.168.8.1) inet proto tcp from any to 192.168.20.24 port = http flags S/SA keep state label "USER_RULE: NAT HTTP"
pass in quick on igb1 inet from 192.168.10.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on igb1 inet proto tcp from any to any port = ssh flags S/SA keep state label "USER_RULE"
pass in quick on igb2 inet all flags S/SA keep state label "USER_RULE"
block return in quick on igb1_vlan20 inet proto tcp from any to 192.168.20.1 flags S/SA label "USER_RULE: Block Access to PfSense"
pass in quick on igb1_vlan20 inet from 192.168.20.0/24 to any flags S/SA keep state label "USER_RULE"
block drop in quick on igb1_vlan30 inet proto icmp from any to 192.168.30.1 label "USER_RULE"
block return in quick on igb1_vlan30 inet proto tcp from any to 192.168.30.1 label "USER_RULE: Block Access to PfSense"
block return in quick on igb1_vlan30 inet proto udp from any to 192.168.30.1 label "USER_RULE: Block Access to PfSense"
pass in quick on igb1_vlan30 inet proto icmp all keep state label "USER_RULE: Ping"
pass in quick on igb1_vlan30 inet proto tcp from 192.168.30.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on igb1_vlan30 inet proto udp from 192.168.30.0/24 to any keep state label "USER_RULE"
block drop in quick on igb1_vlan40 inet proto tcp from any to 192.168.40.1 label "USER_RULE: Block Access to PfSense"
block drop in quick on igb1_vlan40 inet proto udp from any to 192.168.40.1 label "USER_RULE: Block Access to PfSense"
pass in quick on igb1_vlan40 inet proto icmp all keep state label "USER_RULE: Ping"
pass in quick on igb1_vlan40 inet proto tcp from 192.168.40.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on igb1_vlan40 inet proto udp from 192.168.40.0/24 to any keep state label "USER_RULE"
block drop in quick on igb1_vlan50 inet proto tcp from any to 192.168.20.1 label "USER_RULE: Access to Pfsense"
block drop in quick on igb1_vlan50 inet proto udp from any to 192.168.20.1 label "USER_RULE: Access to Pfsense"
pass in quick on igb1_vlan50 inet proto tcp from 192.168.50.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on igb1_vlan50 inet proto udp from 192.168.50.0/24 to any keep state label "USER_RULE"
anchor "tftp-proxy/*" all</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> -
dude how freaking hard is a screen shot?? Really!!
Isn't this easier to read ;)
-
Here you go, with the screen capture.
-
Yes much easier to read.. Well your vlan20 is only blocking access to vlan20 address.. After that you have a any any rule.. So yeah you can pretty much do anything you want as long as your not talking to the IP of pfsense vlan20.
If you don't want a network to talk to ANY address on the firewall then use the the firewall alias as dest. See my rule.
That would stop traffic to any IP on pfsense, be it wan, lan or any other vlan, etc. If you want to just stop access to the portal, then put in dest port your running http/https on. If you want to just use dest any with this firewall. Make sure you allow what you want before the block. Ie dns prob needed ;)
So for example. In my dmz rules - I allow ping to pfsense IP on dmz address for ipv4 and ipv6. I then allow DNS to the dmz address. But then I block all other access to any other pfsense IP address on anything. I then have allow rules that allow traffic as long as your NOT (!) going to any of my other networks. Listed in the aliases.
-
I have on the VLAN 30 that blocks incoming into the VLAN address. That should block any source for going there. IF I am on VLAN 20, with the present rules I can access the 192.168.30.1 address. This is what I do not understand.
-
Your reject rule on VLAN30 block only the access to the VLAN30 interface address, not the access to other interface addresses.
But your goal is to block any access to the firewall, right? So an advice: pfSense has a nice alias for that. In the block rule select at destination "This Firewall (self)", so you get what you want.
-
"I have on the VLAN 30 that blocks incoming into the VLAN address. "
That only blocks it if your coming into the vlan 30 interface.. Not when your coming from another interface like vlan 20.
Rules are evaluated on the interface that pfsense FIRST sees the traffic.. Rules on vlan30 block traffic coming into pfsense from vlan30.. Has zero to do with traffic that would enter pfsense from say lan or vlan20 or vlanXYZ..
Think of it this way. Your interfaces are doors into a building (pfsense).. These doors have doorman on them.. They look at a list, your either allowed or your not on the list and denied by the default deny rule. Or there might be a special item on the list that says hey billy is banned from entering the building. Or you might have a rule that says hey billy can come in as long as he is only using the bathroom..
So you need to make sure the doorman at all these doors have a list that has the rules you want them to follow. If billy comes in door A, because doorman A says sure billy can come in. There is nothing stopping him from leaving the building out door B.. Or going over to door B and hitting the doorman on the head ;)
You can get really fancy with floating rules and actually put rules on exit of door. But really those are only for special cases. Just think of your interfaces as doors and write your rules that allow or block what you want as someone enters there door.
-
"I have on the VLAN 30 that blocks incoming into the VLAN address. "
That only blocks it if your coming into the vlan 30 interface.. Not when your coming from another interface like vlan 20.
Rules are evaluated on the interface that pfsense FIRST sees the traffic.. Rules on vlan30 block traffic coming into pfsense from vlan30.. Has zero to do with traffic that would enter pfsense from say lan or vlan20 or vlanXYZ..
Think of it this way. Your interfaces are doors into a building (pfsense).. These doors have doorman on them.. They look at a list, your either allowed or your not on the list and denied by the default deny rule. Or there might be a special item on the list that says hey billy is banned from entering the building. Or you might have a rule that says hey billy can come in as long as he is only using the bathroom..
So you need to make sure the doorman at all these doors have a list that has the rules you want them to follow. If billy comes in door A, because doorman A says sure billy can come in. There is nothing stopping him from leaving the building out door B.. Or going over to door B and hitting the doorman on the head ;)
You can get really fancy with floating rules and actually put rules on exit of door. But really those are only for special cases. Just think of your interfaces as doors and write your rules that allow or block what you want as someone enters there door.
That is what I understand how firewall works. But in this instance, the doorman is only screening people/traffic going out of the door (VLAN30) and don't care about people coming in. For instance, I disable all rules on interface VLAN30, so by definition it should disallow any traffic from going into VLAN30. But in this case traffic from VLAN20 can still access VLAN30 interface, eg I can ping VLAN30 address 192.168.30.1 as well as access the pfsense Web UI. What is your take on this?
-
"I disable all rules on interface VLAN30, so by definition it should disallow any traffic from going into VLAN30. But in this case traffic from VLAN20 can still access VLAN30 interface,"
Dude your not getting it!!! Traffic is INBOUND into an interface.. If vlan 20 is allowed to talk to the IP, then doesn't matter what rules if any you have on vlan30.. If the traffic enters pfsense via vlan20 interface.
Your not "going into the interface" when you came from vlan20..
-
"I disable all rules on interface VLAN30, so by definition it should disallow any traffic from going into VLAN30. But in this case traffic from VLAN20 can still access VLAN30 interface,"
Dude your not getting it!!! Traffic is INBOUND into an interface.. If vlan 20 is allowed to talk to the IP, then doesn't matter what rules if any you have on vlan30.. If the traffic enters pfsense via vlan20 interface.
Your not "going into the interface" when you came from vlan20..
Well, the rule in VLAN20 says that it is allow to talk to the world that does not mean that all the world interface must allow it access…
-
Yeah it does..
If you don't want traffic from vlan 20 talking to vlan 30, then you need a rule that stops it on vlan 20.. That is HOW it works… Pretty much that is how every single firewall on the planet works ;)
Pfense is your house with doors on it.. Front door, back door, side doors, etc.. Where does it make sense to stop traffic before you enter the door. Or after your inside the house.. Your not even leaving the side door, your just touching the inside of the side door.. What rules is suppose to stop you from doing that?? The rule the door man has standing outside the door waiting for people to enter that door??
Here you have can have any rule you want on vlan 30 INBOUND to that doorman.. If you have a rule on another vlan that allows the TRAFFIC - yeah I can go hit the doorman on the head (access portal) Does not matter what the vlan 30 doormans inbound list says.
Even if you put in a rule for outbound traffic in floating for going out the vlan 30 door. Still does not stop you from hitting the doorman on the head because your coming from behind him. Your already inside the house!!!
https://youtu.be/rkcGm-pWwsQ