Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can someone check my firewall rule?

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      akishore
      last edited by

      Hi all,

      I'm a beginner with pfSense and I'm trying to harden the admin access to the firewall by setting it to use HTTPS and by changing the TCP port to something other than 443.

      I've done these two things, but I also wanted to restrict access to the device to only one management computer. Since I'm using DHCP on pfSense, I went ahead and created a static mapping for my management computer first and then created an IP alias and Port alias under Firewall. I created one rule, which is currently below the anti-locked rule. I haven't disabled anti-locked yet until I have someone check my rule to make sure I won't lock myself out!

      Any help would be greatly appreciated. I have attached screenshots.

      Thanks in advance,

      AK
      ![ip alias.jpg](/public/imported_attachments/1/ip alias.jpg)
      ![ip alias.jpg_thumb](/public/imported_attachments/1/ip alias.jpg_thumb)
      ![port alias.jpg](/public/imported_attachments/1/port alias.jpg)
      ![port alias.jpg_thumb](/public/imported_attachments/1/port alias.jpg_thumb)
      ![firewall rules.jpg](/public/imported_attachments/1/firewall rules.jpg)
      ![firewall rules.jpg_thumb](/public/imported_attachments/1/firewall rules.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Are you really concerned about those inside your network accessing the web gui? If so, I would put those people on a separate internal interface and block access to the webgui for them entirely.

        Connections from the outside - the internet - are blocked unless you specifically enable them.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A Offline
          akishore
          last edited by

          At some point, I would like to use VLANs or use a separate interface, but that will take more time and I'm learning slowly. Unfortunately, I do have a couple of tech-savvy internal users that I have to worry about. I wanted to start off with some basic stuff before getting into more secure solutions. Thanks!

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Use a good password and be sure to be using SSL every time. trust the certificate so they can't MITM you. That's about all you can do if you don't trust the people inside and can't isolate management to a management VLAN.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • A Offline
              akishore
              last edited by

              What do you mean by trust the certificate? I normally get a certificate error when connecting to the device over HTTPS. I'm guessing you mean that, but should I use a different certificate? Create my own?

              Also, for my own knowledge, can you tell me whether that firewall rule will work? I'd like to know just to know.

              Thanks

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Turn off the Anti-Lockout rule in System > Advanced. That rule allows access from all LAN hosts and is first so it will match allowing all access.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • A Offline
                  akishore
                  last edited by

                  Right, I will turn off the anti-lockout rule, but I wanted to make sure the current firewall rule I have is correct so that I don't block myself. So I'm guessing the firewall I added is OK?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    looks fine.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • A Offline
                      akishore
                      last edited by

                      Thanks. I disabled anti-lockout, but I'm still able to access the web config from any computer on the network! The rules are the only ones that I have in the attached screenshots minus the anti-lockout rule. Do I have to restart the device or something?

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Sorry. not looking at it closely enough. After that pass rule you need to reject from source LAN net to "this firewall" on admin ports.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • A Offline
                          akishore
                          last edited by

                          Thanks a lot! I got that to work finally. Is there a way to set it up so that only I can access the web GUI if I have a custom certificate installed on my system?

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            No.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.