Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Design Flaw: Web GUI listens on WAN with no disable

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 266 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      muvaminon
      last edited by

      Design Flaw:
      The Web GUI also listens on WAN. Not including a settings option to disable this is a design flaw. If a firewall rule, such as a temporary whitelist, inadvertently allows access to the router then the Web GUI becomes accessible. When I discovered this, there was much swearing. But, OPNsense has the same flaw so I’m still here.
      The commonly advised countermeasure is to change the port from 80 or 443, but that naively assumes that attackers won’t be scanning and analyzing all ports. I’ve had about 1.8 million attacks over the last 3 weeks. Attackers have probed almost every port.

      JKnottJ GertjanG 2 Replies Last reply Reply Quote 0
      • JKnottJ
        JKnott @muvaminon
        last edited by

        @muvaminon

        Don't firewall rules work?

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @muvaminon
          last edited by

          @muvaminon said in Design Flaw: Web GUI listens on WAN with no disable:

          The Web GUI also listens on WAN.

          And not only nginx, the GUI web server. If you run it, SSH, also listens on 'all interfaces'. Unbound, the resolver, same situation.
          And things get worse : I'm not sure how many copies of pfSense are being used out there, but it must be 6 if not 7 digit number : they have all this issue.

          @muvaminon said in Design Flaw: Web GUI listens on WAN with no disable:

          The commonly advised countermeasure is to change the port from 80 or 443, but that naively assumes that attackers won’t be scanning and analyzing all ports

          So don't ^^ Security by obscurity doesn't stand long ... in 30 seconds using a GUI - and nmap will be way faster :

          2a69c871-9fdc-4f1f-8080-0546643f494e-image.png

          No ports open ! (this is the default Netgate pfSense behavior).
          So no risk what so ever. Case closed.

          @muvaminon said in Design Flaw: Web GUI listens on WAN with no disable:

          But, OPNsense has the same flaw so I’m still here

          Yep, we start to see the trend also 😊

          The real issue is actually : the human part behind pfSense, also called the 'admin'.

          Same as this :

          61519748-d95d-43a6-988f-6240fb2164af-image.png

          The car has a steering wheel.... and you can turn it to the right. You've learned not to do so.
          Should the wheel be removed ?

          Ok, sorry, I'll be a bit more serious : I get it, why not double the security by not having the web server listing to the WAN NIC ?
          It's easy to set up a web server (nginx) config file so it listen to one (pre selected, normally LAN) interface.
          This is still possible, if you really want to do that.

          edit : @JKnott said it all using way less words.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.