How disable webgui … if possible



  • Hi to all,

    it's possible to disable the webgui and access to pfsense only with SSH???

    Thnx a lot
    LiquiD



  • System > Advanced > Disable webGUI anti-lockout rule

    Then add a block rule on the LAN interface for traffic destined for port 80 (443 if using HTTPS) on the interface address.



  • Thank you so much … now it's possible to re-enable webgui via SSH without choose "set lan ip"??? :D:D:D
    Thanks!



  • Um… no.
    Didnt you make sure that there is still a way to access the WebGUI?

    By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you in, or you will lock yourself out!).
    Hint: the "set LAN IP address" option in the console menu resets this setting as well.



  • Uhmmm … NO :D:D:D i'll reset lan interface thanks :D



  • I've enabled the "disable webgui anti-lockout rule" and created the follows rule in attachment … but all computer in the lan can access the pfsense's webgui ... it's the LAN -> rule that make it possible for the whole lan or webgui should be disabled anyway?

    thanks LQD




  • What's your problem with LAN users being shown the login window? They still need user/password to access it.
    But you could create an 'allow' rule for the IP of your admin PC, followed by a modified 'deny' rule in which you set as destination "all BUT gateway-ip". Order of rules is important!



  • I don't want users are trying hours and hourse to guess user/pass. I want my pfsense don't listen at all other ip!
    Why my "disable webgui" don't work now? For 1-2 days i think was working fine!!!



  • @LiquiD_85:

    Why my "disable webgui" don't work now? For 1-2 days i think was working fine!!!

    Sorry, my magic crystal ball is broken.
    Honestly, what kind of help can you expect from "it's broken" without giving any information?

    @jahonix:

    But you could create an 'allow' rule for the IP of your admin PC, followed by a modified 'deny' rule in which you set as destination "all BUT gateway-ip". Order of rules is important!



  • @jahonix:

    Sorry, my magic crystal ball is broken.
    Honestly, what kind of help can you expect from "it's broken" without giving any information?

    Hehehe … very witty :D

    My LAN rule-set is in attachment some post upper ... when i enable in the advanced menù the "disable webgui anti-lockout rule" nothing change anyone can access webgui!!!
    If you need other information ask me!
    If possible i want to use this option and don't create other rules!!!

    Thnx
    LQD!



  • Umm… Jahonix already posted the solution to why your users still can access the pfSense twice.

    But you could create an 'allow' rule for the IP of your admin PC, followed by a modified 'deny' rule in which you set as destination "all BUT gateway-ip". Order of rules is important!

    Let me rephrase that:
    3 rules:
    allow - source: your_admin_PC, destination: pfSense_LAN_interface
    deny - source: any , destination: pfSense_LAN_interface
    allow - source: any , destination: any

    or easier with only 2 rules:
    allow - source: your_admin_PC, destination: pfSense_LAN_interface
    allow - source: any , destination: **!**pfSense_LAN_interface           (NOT the pfSense_LAN_interface)

    as written: The order of your rules is important !



  • Simply do in a shell:

    killall -9 lighttpd



  • @dramis:

    Simply do in a shell:

    killall -9 lighttpd

    Is definitely the easy way. In addition to that you could add a package called shellcmd which runs commands when the system starts. Place the killall -9 lighttpd command there and it will kill the GUI when the system starts.



  • Or add another NIC to the system and have users coming in on that interface.


Log in to reply