Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense http/https managment interface

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 316 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Ofloo
      last edited by Ofloo

      Is there a way to make it bind to a single interface rather then bind all, to be honest security wise this is not a good way to do things. From a security perspective it would be a lot better to isolate the management interface to a single management network.

      Not sure if this is at all possible, in pfsense.

      6 firewalls connected through ipsec, .. pfsense, each has about 12 interfaces, just on a single interface this would require 12 rules just to filter the management interface for something which can just as easily done by binding to a single interface.

      GertjanG 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        No, it always listens on all available interfaces. Of course the code is there so you can do what you want. 😉

        You can use an interface group or a floating rule to apply a single rule to multiple interfaces.

        And all traffic is blocked by default so simply not allowing it would also block access.

        Steve

        1 Reply Last reply Reply Quote 1
        • GertjanG
          Gertjan @Ofloo
          last edited by Gertjan

          @ofloo

          Read http://nginx.org/en/docs/http/configuring_https_servers.html

          Go here :

          https://github.com/pfsense/pfsense/blob/de9ba32bd3531ccf74e143391deaacb77e085097/src/etc/inc/system.inc#L1364

          and

          https://github.com/pfsense/pfsense/blob/de9ba32bd3531ccf74e143391deaacb77e085097/src/etc/inc/system.inc#L1396

          and make the listen (and IPv6 listen) more restrictive.

          Be careful : there is no such thing as a default LAN interface.
          You could hard code the IP of the interface t to listen to.
          Or extract it from

          $g['interfaces'['lan']['ipaddr']

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.