Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block web gui on some interfaces

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      setecastronomy
      last edited by

      Sorry to post a new question which seems very similar to others, but my setup is quite different and I would like to understand things correctly because I have just figured out my ideas were wrong.
      My pfsense has 3 wan intefaces, a lan and 2 dmz.

      In the lan firewall rules there is the anti-lockout rule, automatically added there by pfSense itself.

      As stated here  https://forum.pfsense.org/index.php?topic=109963.0  out of the box the web gui is not available via the wan. My tests confirm this behavior. Otherwise I was very surprised I can access the web gui from my dmz networks using the ip of the corresponding interface. I can easily add firewall rules to block but I thought it was not necessary. As far as I knew the management interface was accessible only from LAN, and I thought LAN was the only interface with that name. I suspect that for pfSense any interface which is not WAN is a LAN, so DMZ_ 1 and DMZ_2 don't block implicitly unsolicited traffic. Can you confirm on this point ?
      Checking the interface configuration I cannot see any flag to specify if it is internal or external, so it is unclear to me how pfSense treats it as a WAN or LAN. Which configuration fields tell pfSense to treat that interface as a WAN, blocking all unsolicited traffic ?

      I attached the configuration page of one of my dmz interface for clarity.

      Thanks
      Filippo

      InterfaceConfig.jpg
      InterfaceConfig.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The way rules work in pfSense, every interface has an implicit deny at the bottom.

        If you add a rule to an interface to pass to a destination of 'any', that also includes the firewall itself, unless you have rules above that to block.

        So what you probably want on your DMZ is something like this:

        pass TCP/UDP from DMZ Net to "This Firewall (self)" port 53 – Allow DMZ Hosts to contact the firewall for DNS
        pass ICMP echo req DMZ Net to "This Firewall (self)" -- Allow DMZ Hosts to ping the firewall
        reject any from DMZ Net to "This Firewall (self)" -- Do not let the DMZ Hosts reach anything else on this firewall
        reject any from DMZ Net to RFC1918 (an alias containing 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8) -- Prevent DMZ from contacting other private networks
        pass any from DMZ Net to any -- Allow DMZ Hosts to reach the Internet

        Of course your exact needs may vary there, but you have to specifically tell it what you do and do not want it to do.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          What is blocked on a lan side interfaces would be determined by what rules you put on that interface.  Out of the box "lan" would be any any and normally also have an antilockout rule that allows access to the web gui and ssh (if enabled).  Other interfaces you bring up OPTX (dmz, etc.) would have zero rules and all traffic would be denied like wan out of the box.  If you create a rule that allows access to your web gui, then it would be allowed.  Yes the webgui listens on all IPs out of the box, even wan - its just blocked out of the box on the wan from the wan side because there are no rules on wan and all unsolicited is blocked by default deny rule.

          You need to create rules on your interfaces to allow/block the traffic you want to allow/block.  Keep in mind that if you setup your rules to block access to just the dmz IP web gui port, that depending on your other rules it could be possible for the dmz clients to access the lan IP or even the wan IP web gui port from the dmz.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @setecastronomy:

            In the lan firewall rules there is the anti-lockout rule, automatically added there by pfSense itself.

            One more note: The anti-lockout rule makes sure you CANNOT block access to the GUI on LAN if you accidentally make the LAN rules too strict. It doesn't grant any other special privileges or act on any other interface.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              setecastronomy
              last edited by

              Things were a bit more complicated. In reality in DMZ_1 no rule gives access to DMZ_1 interface, so I was very confused.
              Then I realized that the web browser of the workstation in DMZ_1 has a proxy which resides in DMZ_2.
              Due to a misconfiguration the proxy in DMZ_2 can access all DMZ_1, including  DMZ_1 interface.
              So the unwanted traffic was DMZ_1 (web browser)-> DMZ_2 (Proxy) -> DMZ_1 interface (PfSense)

              @johnpoz:

              Yes the webgui listens on all IPs out of the box, even wan

              I was completely unaware of this fact. I thought the webgui listens only on lan interface.

              @johnpoz:

              it could be possible for the dmz clients to access the lan IP or even the wan IP web gui port from the dmz.

              I have to rework my configuration to avoid this danger.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.