Can I make VLAN interfaces not to listen to SSH and HTTPS
-
Hi all, maybe my question is stupid, but I'll make it because I feel stuck. I have a pfsense with several internal VLANs. Each of these VLANs has of course a VLAN interface. One of these VLANs is the IT VLAN, which has access to everywhere (in the fw rules I have an allow IT VLAN to any for this VLAN).
From my computer which belongs to IT VLAN, if I try to access the IP address of all of the VLAN interfaces, I see that I can access all of them. But I only want to be able to access my fw from a specific VLAN interface (VLAN 100 - with IP address 10.55.100.1). Do I do this by setting deny rules for these VLAN interfaces, or is there any option to make VLAN interfaces stop listening to HTTPS and SSH?
Thank in advance!
-
Disable webConfigurator anti-lockout rule
set deny rules for VLAN interfaces to the firewall ip with destination port https / ssh
be careful not to shut yourself out completely -
While you can't yet change which interfaces the GUI and SSH listens on, you could setup some floating rules to make this easier, something like
- Pass quick TCP from
<your management subnets>
to This firewall (self) ports<alias with 443, 22, etc>
- Reject quick TCP from any to This firewall (self) ports
<alias with 443, 22, etc>
The "This firewall (self)" target expands internally in pf to any address on the firewall.
- Pass quick TCP from