Block web gui on some interfaces

setecastronomy · Jul 11, 2017, 11:15 AM

Sorry to post a new question which seems very similar to others, but my setup is quite different and I would like to understand things correctly because I have just figured out my ideas were wrong.
My pfsense has 3 wan intefaces, a lan and 2 dmz.

In the lan firewall rules there is the anti-lockout rule, automatically added there by pfSense itself.

As stated here https://forum.pfsense.org/index.php?topic=109963.0 out of the box the web gui is not available via the wan. My tests confirm this behavior. Otherwise I was very surprised I can access the web gui from my dmz networks using the ip of the corresponding interface. I can easily add firewall rules to block but I thought it was not necessary. As far as I knew the management interface was accessible only from LAN, and I thought LAN was the only interface with that name. I suspect that for pfSense any interface which is not WAN is a LAN, so DMZ_ 1 and DMZ_2 don't block implicitly unsolicited traffic. Can you confirm on this point ?
Checking the interface configuration I cannot see any flag to specify if it is internal or external, so it is unclear to me how pfSense treats it as a WAN or LAN. Which configuration fields tell pfSense to treat that interface as a WAN, blocking all unsolicited traffic ?

I attached the configuration page of one of my dmz interface for clarity.

Thanks
Filippo

jimp · Jul 11, 2017, 1:05 PM

The way rules work in pfSense, every interface has an implicit deny at the bottom.

If you add a rule to an interface to pass to a destination of 'any', that also includes the firewall itself, unless you have rules above that to block.

So what you probably want on your DMZ is something like this:

pass TCP/UDP from DMZ Net to "This Firewall (self)" port 53 – Allow DMZ Hosts to contact the firewall for DNS
pass ICMP echo req DMZ Net to "This Firewall (self)" -- Allow DMZ Hosts to ping the firewall
reject any from DMZ Net to "This Firewall (self)" -- Do not let the DMZ Hosts reach anything else on this firewall
reject any from DMZ Net to RFC1918 (an alias containing 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8) -- Prevent DMZ from contacting other private networks
pass any from DMZ Net to any -- Allow DMZ Hosts to reach the Internet

Of course your exact needs may vary there, but you have to specifically tell it what you do and do not want it to do.

johnpoz · Jul 11, 2017, 1:06 PM

What is blocked on a lan side interfaces would be determined by what rules you put on that interface. Out of the box "lan" would be any any and normally also have an antilockout rule that allows access to the web gui and ssh (if enabled). Other interfaces you bring up OPTX (dmz, etc.) would have zero rules and all traffic would be denied like wan out of the box. If you create a rule that allows access to your web gui, then it would be allowed. Yes the webgui listens on all IPs out of the box, even wan - its just blocked out of the box on the wan from the wan side because there are no rules on wan and all unsolicited is blocked by default deny rule.

You need to create rules on your interfaces to allow/block the traffic you want to allow/block. Keep in mind that if you setup your rules to block access to just the dmz IP web gui port, that depending on your other rules it could be possible for the dmz clients to access the lan IP or even the wan IP web gui port from the dmz.

jimp · Jul 11, 2017, 1:08 PM

@setecastronomy:

In the lan firewall rules there is the anti-lockout rule, automatically added there by pfSense itself.

One more note: The anti-lockout rule makes sure you CANNOT block access to the GUI on LAN if you accidentally make the LAN rules too strict. It doesn't grant any other special privileges or act on any other interface.

setecastronomy · Jul 12, 2017, 8:52 AM

Things were a bit more complicated. In reality in DMZ_1 no rule gives access to DMZ_1 interface, so I was very confused.
Then I realized that the web browser of the workstation in DMZ_1 has a proxy which resides in DMZ_2.
Due to a misconfiguration the proxy in DMZ_2 can access all DMZ_1, including DMZ_1 interface.
So the unwanted traffic was DMZ_1 (web browser)-> DMZ_2 (Proxy) -> DMZ_1 interface (PfSense)

@johnpoz:

Yes the webgui listens on all IPs out of the box, even wan

I was completely unaware of this fact. I thought the webgui listens only on lan interface.

@johnpoz:

it could be possible for the dmz clients to access the lan IP or even the wan IP web gui port from the dmz.

I have to rework my configuration to avoid this danger.