• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Block Access To Admin Gui Question.

Scheduled Pinned Locked Moved Firewalling
6 Posts 2 Posters 995 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    tr997
    last edited by tr997 Feb 22, 2021, 4:58 PM Feb 22, 2021, 4:52 PM

    Hi,

    I want to restrict access to the Admin GUI from the UNTRUSTED network. The way I have it per below seems to be working fine but then I saw the PFSense docuemnt link below and not sure if I should change it to that way. Basically my way just drops all traffic from UNTRUSTED net to the Firewall.

    Is the way I have it robust and OK from a security perspective of should I go with the methods outlined in the document below? Thank you!

    My setup has WAN, LAN and UNTRUSTED networks:
    LAN = 192.168.29.1
    UNTRUSTED = 192.168.30.1

    Current Setup:
    I setup a BLOCK rule on the UNTRUSTED network:
    Action = Block
    Interface = UNTRUSTED
    Addres Family = IPV4
    Protocol = Any
    Source = UNTRUSTED net
    Destination = This firewall (self)

    PFSense Document:
    https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html
    https://pfsense-docs.readthedocs.io/en/latest/firewall/restrict-access-to-management-interface.html

    H 1 Reply Last reply Feb 22, 2021, 5:00 PM Reply Quote 0
    • H
      hieroglyph
      last edited by hieroglyph Feb 22, 2021, 4:57 PM Feb 22, 2021, 4:55 PM

      @tr997 said in Block Access To Admin Gui Question.:

      https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html

      Depends on what you are trying to do. The way you have it will block any device on the UNTRUSTED network from accessing anything on the firewall. That means if the pfsense is telling devices on the UNTRUSTED network it is their DNS server they will not be able to resolve IPs, or ping pfsense for debugging, or send any other traffic directly to pfsense.

      T 1 Reply Last reply Feb 22, 2021, 5:00 PM Reply Quote 0
      • T
        tr997 @hieroglyph
        last edited by Feb 22, 2021, 5:00 PM

        @hieroglyph said in Block Access To Admin Gui Question.:

        That means if the pfsense is telling devices on the UNTRUSTED network it is their DNS server they will not be able to resolve IPs, or ping pfsense for debugging, or send any other traffic directly to pfsense.

        Thanks. I thought about that just after I hit the post button! Would it be OK to add rule above this rule to allow the DNS to pass through?

        H 1 Reply Last reply Feb 22, 2021, 5:01 PM Reply Quote 0
        • H
          hieroglyph @tr997
          last edited by Feb 22, 2021, 5:00 PM

          @tr997 If your goal is to only block devices on the UNTRUSTED network from accessing the administrative features of pfsesse. They it may be better to specify a protocol of TCP and destination ports (usually ports 80 and/or 443 for the webpage and port 22 for ssh).

          1 Reply Last reply Reply Quote 1
          • H
            hieroglyph @tr997
            last edited by Feb 22, 2021, 5:01 PM

            @tr997 Yes, adding a rule above to allow DNS and whatever other services you want to allow the UNTRUSTED network to access will also work.

            T 1 Reply Last reply Feb 22, 2021, 5:07 PM Reply Quote 1
            • T
              tr997 @hieroglyph
              last edited by Feb 22, 2021, 5:07 PM

              @hieroglyph Thanks. You've answered my questions and I see what you mean about blocking the TCP admin ports.

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received