Can someone check my firewall rule?



  • Hi all,

    I'm a beginner with pfSense and I'm trying to harden the admin access to the firewall by setting it to use HTTPS and by changing the TCP port to something other than 443.

    I've done these two things, but I also wanted to restrict access to the device to only one management computer. Since I'm using DHCP on pfSense, I went ahead and created a static mapping for my management computer first and then created an IP alias and Port alias under Firewall. I created one rule, which is currently below the anti-locked rule. I haven't disabled anti-locked yet until I have someone check my rule to make sure I won't lock myself out!

    Any help would be greatly appreciated. I have attached screenshots.

    Thanks in advance,

    AK
    ![ip alias.jpg](/public/imported_attachments/1/ip alias.jpg)
    ![ip alias.jpg_thumb](/public/imported_attachments/1/ip alias.jpg_thumb)
    ![port alias.jpg](/public/imported_attachments/1/port alias.jpg)
    ![port alias.jpg_thumb](/public/imported_attachments/1/port alias.jpg_thumb)
    ![firewall rules.jpg](/public/imported_attachments/1/firewall rules.jpg)
    ![firewall rules.jpg_thumb](/public/imported_attachments/1/firewall rules.jpg_thumb)


  • Netgate

    Are you really concerned about those inside your network accessing the web gui? If so, I would put those people on a separate internal interface and block access to the webgui for them entirely.

    Connections from the outside - the internet - are blocked unless you specifically enable them.



  • At some point, I would like to use VLANs or use a separate interface, but that will take more time and I'm learning slowly. Unfortunately, I do have a couple of tech-savvy internal users that I have to worry about. I wanted to start off with some basic stuff before getting into more secure solutions. Thanks!


  • Netgate

    Use a good password and be sure to be using SSL every time. trust the certificate so they can't MITM you. That's about all you can do if you don't trust the people inside and can't isolate management to a management VLAN.



  • What do you mean by trust the certificate? I normally get a certificate error when connecting to the device over HTTPS. I'm guessing you mean that, but should I use a different certificate? Create my own?

    Also, for my own knowledge, can you tell me whether that firewall rule will work? I'd like to know just to know.

    Thanks


  • Netgate

    Turn off the Anti-Lockout rule in System > Advanced. That rule allows access from all LAN hosts and is first so it will match allowing all access.



  • Right, I will turn off the anti-lockout rule, but I wanted to make sure the current firewall rule I have is correct so that I don't block myself. So I'm guessing the firewall I added is OK?


  • Netgate

    looks fine.



  • Thanks. I disabled anti-lockout, but I'm still able to access the web config from any computer on the network! The rules are the only ones that I have in the attached screenshots minus the anti-lockout rule. Do I have to restart the device or something?


  • Netgate

    Sorry. not looking at it closely enough. After that pass rule you need to reject from source LAN net to "this firewall" on admin ports.



  • Thanks a lot! I got that to work finally. Is there a way to set it up so that only I can access the web GUI if I have a custom certificate installed on my system?


  • Netgate

    No.