Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Add a header to webConfigurator server

    Scheduled Pinned Locked Moved webGUI
    19 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rock99x
      last edited by

      I'm getting failures from Qualys security scans of my pfSense boxes for missing this header in the connection to the webConfigurator

      HTTP Security Header Not Detected

      X-XSS-Protection HTTP Header missing on port 443.

      They want this in the output of the server connection.

      X-XSS-Protection "1; mode=block"

      I made the change to the /etc/inc/system.inc file so it was included.

      Is there a way to make this change permanent or will that be something pfSense will have to include in their updates?

      Thanks,
      Chuck

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        You got it backwards.
        The GUI should be visible from LAN only - as it has been setup when you installed. Not from WAN. The GUI should never never be exposed on WAN, it isn't build for that.
        If you need to access the GUI from the WAN side, use the VPN facilities build into pfSense.

        https://www.ssllabs.com/ssltest/ is a tool to test public web sites. The GUI is everything but a public web site.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          While I agree completely the web gui should not be exposed to the public, and really should be limited to admin access from a secure network anyway.

          Why would you not follow current practice for specific headers.

          There are many headers that are recommend to be set.. Along with the X-XSS-Protection I don't see either

          Content-Security-Policy
          Referrer-Policy

          set as well.

          I am not too worried about it since you can only access my gui from my secure network anyway.. From my trusted machine - but again why not set recommended security headers?

          You can view the headers easy with simple curl to your pfsense gui from your secure lan side - no reason to expose it to the public for some test site to hit.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @johnpoz:

            Content-Security-Policy

            There's a ticket open for this one: https://redmine.pfsense.org/issues/6647

            Not sure about the others. Probably due for a review in general, when that ticket gets addressed. Might drop a comment on there with the others.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Thanks Jimp Will take a look and add comment as appropriate

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • R
                rock99x
                last edited by

                In a perfect circumstance, we would limit the admin panel to only known addresses.

                This may still be an option, but either way, we are being required by one of our customers to scan our firewall IP externally through Qualys with a PCI compliance scan.

                We're failing the Qualys PCI scan and this problem is one on my to-do list to figure out.

                Blocking the IP of the firewall from these scans is not an option to keep the customer.

                I just need to address this failure with a response and try to come up with a fix that will satisfy Qualys and the customer. We're working on it is fine for now. I will probably come up with some kind of cron job or file change detection to edit the system.inc file when it changes to keep the scan compliant.

                This will still leave a window of opportunity for the scan to find the problem.

                On another note… just my opinion, it's a firewall. If it isn't designed to be directly connected to the Internet, then it probably shouldn't be called a firewall.

                Thanks,
                Chuck

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan
                  last edited by

                  @rock99x:

                  ….
                  But, ok, I'm curious now. I'll open up tomorrow my WAN on port 443 for GUI access, and test the access with ssllabs.com.
                  I'm not an nginx expert, but I guess I can come up with a small edit that will make the GUI comply.

                  Done.

                  It took me some time to setup my DNS, so pfsense.brit-hotel-fml.n*t point to my WAN IP.
                  Opened WAN GUI access and launched the test : (see image).

                  My conclusion : The nginx web server used by pfSense is ok - nothing to add or remove.
                  An A+ out of the box.

                  PS : I'll throw in a CAA record for even more green ;)

                  pfsense-1.PNG
                  pfsense-1.PNG_thumb
                  pfsense-2.PNG
                  pfsense-2.PNG_thumb

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "Blocking the IP of the firewall from these scans is not an option to keep the customer."

                    Huh??  Your customer seems like they don't understand what is going on here.  While I agree putting in special rule that blocked the scanning IP would be wrong and reason to fail pci compliance.  But where in the pci compliance documentation does its say that you have to OPEN up a port to the outside to scan it when that service is never meant to be open to the internet… That is just stupid...

                    That is like complaining that your pin on your door to bathroom in the building is only 4 digits when the only way to get access to the bathroom is to get into the building first where you have a key to the outside door, which you also have to have a 12 digit pin and also pass a bio security check, and get past the security ninja that guards the door. Because some doc says pins on doors have to be a min 6 digits.. Think for 2 seconds..

                    They are complaining about a header that will never ever be open to the public internet anyway..

                    Open up the ports you need to forward through pfsense and let them scan.. They should not be scanning pfsense web gui on the public interface for pci compliance..  It makes ZERO sense!!!

                    Yes you need to do a pentest against your firewalls public IP.. But specifically opening up the gui just so you can scan it is not what a pentest is at all..  Did you have the gui open to the public for some reason when they did your first scan?  If so the solution to the problem is that that port has since been closed - the web gui to the firewall is no longer available to the public internet... See here is the scan to prove it, their is no specific firewall rule blocking anyone from scanning anything..

                    While There is a redmine about what headers could be set, etc.  And I agree some should be set just out of best practices - but doing so has little to do with a pentest or pci compliance scan.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      rock99x
                      last edited by

                      I totally agree, it makes no sense to me either. If the IP is not open for traffic inbound, then it's secure right?

                      Sounds like it should pass the test to me too.

                      Unfortunately, I was told this isn't the case with the scan we are required to get.

                      I'm even having an issue with an IP that is not assigned to a firewall, but is in fact a NAT IP address on a Cisco router. There is no way to make that IP ping. That is not how NAT works on those devices. So they are requiring me to port forward to a reachable host on that IP.

                      To me that sounds like to opposite of securing the IP, doesn't it?

                      If I have to guess, it looks like it comes from the "scanning procedures" section in the PCI requirements doc.
                      https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

                      "The ASV must scan all filtering devices such as firewalls or external
                      routers (if used to filter traffic). If a firewall or router is used to establish a
                      demilitarized zone (DMZ), these devices must be scanned for
                      vulnerabilities"

                      So technically, if the IP isn't available to scan, it fails the scan… ?

                      I don't know, I'm just trying to get the PCI scan to pass for the boss.

                      Thank you for all the help guys.

                      Chuck

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Sounds like someone who doesn't know how to run a scanner. Some default to skipping an address if ping fails. OpenVAS would do that, but it's a simple flag to switch in the scan config.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          ^ Yup I bet that is the case for sure - what should never open anything special for a scan… Just because an IP doesn't answer ping, doesn't mean that 443 is not open, etc.  But yeah out of the box typical nmap scan even unless you tell it NOT too will ping first before running the rest of the scan, etc.

                          Which is funny is then prob be hit for answering ping ;)  If you open that up to allow for icmp echo.

                          Are you kicking off the scan.. Or is the customer or 3rd party running the qualys scan?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • GertjanG
                            Gertjan
                            last edited by

                            Oops, instead of replying I edited an old message.
                            Anyway, the results are here : https://forum.pfsense.org/index.php?topic=144026.msg784950#msg784950 (surprise !!)

                            edit : I'll leave my WAN IP open for some a couple of hours. So everybody can "test".

                            Also : pretty nice result actually for a connected-device GUI. What was the question again, because now I think I didn't understood the question.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              That is great but that is not a PCI compliance scan - that is just a ssl scan..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan
                                last edited by

                                .. as I just figured out.
                                And these scans are not for free of course.

                                Any company that accepts, processes, or stores credit card information needs to comply with the requirements set by the Payment Card Industry Security Standards Council. Merchants passing a free PCI Scan will receive the official certification they need to submit to their acquiring bank.

                                What has the pfSense WEB GUI to do with money transactions ?

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  "What has the pfSense WEB GUI to do with money transactions ?"

                                  Nothing ;)  But the PCI scan looks for specific things at the target IP. Pfsense web gui would never come into play - but their might be some web server that is part of the transaction, etc.  Say something you port forwarded on pfsense to something behind it.

                                  Since the OP opened up the webgui to the scan, the it would have to meet those requirements.  Our point has been that pfsense as you correctly stated the web gui should not be under scan since it should/would never be available in path of compliance..

                                  My take away from this whole mess is there are some best practice headers that can be added, even when the web gui is never open to the internet or would need to pass a pci scan.  It is a good thing to use best practices from security standpoints for headers, etc.  I am sure they will get to it - but pretty sure there are more pressing matters to be sure since as I think we all agree the pfsense web gui should never be opened up to the public internet for any reason.  Let a lone pci.

                                  Its great to see that its getting an A+ from a ssl point of view.

                                  nice to see pfsense.org getting an A+ as well - but they should prob add the CAA entry in dns as well.  Which is currently missing ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • GertjanG
                                    Gertjan
                                    last edited by

                                    And what about getting the GUI out of the way - moving it from 443 to another port xyz.
                                    This is still a GUI "all open in the wild" but PCI scans would see this port anymore.
                                    Or is PCI some sort of nmap scan ?

                                    Anyway, I still don't understand why a web interface to control a device should be visible to the Internet - and should be related to money transactions, and thus should comply with these scans. Even if I do not have any answers, I still like to understand the question.

                                    No "help me" PM's please. Use the forum, the community will thank you.
                                    Edit : and where are the logs ??

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      "I still don't understand why a web interface to control a device should be visible to the Internet"

                                      It shouldn't be… The OP for whatever reason opened up to the scan.  Now its listed on the report and he was looking to get it to pass the scan.  It should of never been in play at all..

                                      To me the correct answer to the hit on the scan would be that web gui is no longer available to the public internet, etc.  Done work on any other issues seen on the pci scan to pass.  I think where the OP might be having a problem is the customer has seen the results of these scans and wants it to pass - even though it should of never been scanned as part of the process in the first place.  So I do not see why the correct answer to the customer is see that is no longer available to the public net - so no longer a hit on the scan.

                                      Sure changing the port might pass the scan - might not, I have not had to look into the details of what is scanned in many many years.  It might hit every port.. But doesn't matter if it does or not since the web gui should not be available to the public net on any port.. And if they just changed the port but left it open then to be compliant it would have to pass the scan, etc.

                                      This is just my guess - but I am guess that they set the wan rule to any any for the scan.. Which is NOT what the point of a pci or pentest scan..  The scan should be checking for the services that are available on that IP.. The web gui should not ever be available on that IP..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        rock99x
                                        last edited by

                                        The pfsense IP is considered in scope of the PCI scan since it is the path the transaction information takes to reach the processor.

                                        Basically the network path of the card reader to the clearing house for the transaction is all in-scope for the PCI scan.

                                        As I understand it…

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          Yes the IP is in scope - but the firewall gui which should never be available on that IP should not be… You turn on pfsense out of the box there is NOTHING open on the wan, ZERO services available - shoot it does not even answer a ping.

                                          Any traffic you allow inbound would be involved in the scan,not services that would never be available on that public IP..

                                          You creating a firewall that allows access to the gui from the wan is what would put it in scope - why would you do that... There is ZERO anything pci compliance that would suggest you would open up a devices admin gui to the public internet..

                                          A pentest against this IP would be in scope... They can pentest all day - but you opening up the web gui to the public should of never happened.  If they can access the webgui via a pentest when you have not allowed it then that would be in scope - and would be a whole shitcan of worms.. But you creating a specific firewall rule that allows access to the gui or any any to the wan IP is just not correct way to do this sort of scan or any sort of pentest or compliance test at all.

                                          Like saying hey we want to test the lock of your door.. Unlock it please - oh yeah that lock doesn't do shit, it opened right up...

                                          A pentest or compliance test is against service that would be open or finding stuff that is open and should not be.

                                          auditor: Hey you have ntp open on port 123
                                          user:  Yeah we need that
                                          auditor: Ok it must meet xyz if your going to have it open.
                                          user: Ok we will do xyz
                                          auditor:  Ok scanning, yup its version X, it doesn't allow that or this - your good
                                          user: thanks.

                                          auditor: Hey you have ntp open on port 123
                                          user: Oh shit really -  we don't need that.  Closed
                                          audiotr: Ok let me check - yup no ntp anymore your good.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.