Can someone check my firewall rule?
-
Are you really concerned about those inside your network accessing the web gui? If so, I would put those people on a separate internal interface and block access to the webgui for them entirely.
Connections from the outside - the internet - are blocked unless you specifically enable them.
-
At some point, I would like to use VLANs or use a separate interface, but that will take more time and I'm learning slowly. Unfortunately, I do have a couple of tech-savvy internal users that I have to worry about. I wanted to start off with some basic stuff before getting into more secure solutions. Thanks!
-
Use a good password and be sure to be using SSL every time. trust the certificate so they can't MITM you. That's about all you can do if you don't trust the people inside and can't isolate management to a management VLAN.
-
What do you mean by trust the certificate? I normally get a certificate error when connecting to the device over HTTPS. I'm guessing you mean that, but should I use a different certificate? Create my own?
Also, for my own knowledge, can you tell me whether that firewall rule will work? I'd like to know just to know.
Thanks
-
Turn off the Anti-Lockout rule in System > Advanced. That rule allows access from all LAN hosts and is first so it will match allowing all access.
-
Right, I will turn off the anti-lockout rule, but I wanted to make sure the current firewall rule I have is correct so that I don't block myself. So I'm guessing the firewall I added is OK?
-
looks fine.
-
Thanks. I disabled anti-lockout, but I'm still able to access the web config from any computer on the network! The rules are the only ones that I have in the attached screenshots minus the anti-lockout rule. Do I have to restart the device or something?
-
Sorry. not looking at it closely enough. After that pass rule you need to reject from source LAN net to "this firewall" on admin ports.
-
Thanks a lot! I got that to work finally. Is there a way to set it up so that only I can access the web GUI if I have a custom certificate installed on my system?
-
No.
