WEB GUI always accessible from WAN when in transparent mode
-
HI,
I was under the impression that if an access is not enabled then you cannot access it…
I've configured pfSense (1.2.2) to be a transparent firewall using the good advice in http://pfsense.trendchiller.com/transparent_firewall.pdf
Everything is working fine apart from that the WEB GUI can be accessed from anywhere. I've also tried all kind of rules to prohibit it but no luck.I've also tried to switch the UI to HTTPS mode with a self signed certificate, but that just rendered the UI totally unaccessible.
Any idea or some additional information I could provide you guys to sort this out.
-
You need to disable the anti-lockout rule under "advanced"
But if you configure the pfSense as transparent firewall, then it shouldn't even have an accessible IP.
You should have a separate management interface with a private IP and access nowhere except the pfSense webGui. -
Yes that is disabled, but what you're saying is that i need to change the web UI to a private IP…
Is ther no way of denying access to the UI if it is on a public IP? -
just add a rule to the firewall that it should drop all coming from anywhere to the webgui port?
action drop
interface wan
destination wan address
destination port 80 or whatevershould work ?
-
just add a rule to the firewall that it should drop all coming from anywhere to the webgui port?
action drop
interface wan
destination wan address
destination port 80 or whatevershould work ?
That was the very first thing i tried but it does not help, even if you add the rule anyone can still access the web UI.
It seems that when in transparent mode the UI is not "behind" the firewall? Dont know…
What I've done now is just plain "kill -9 lighttpd" and when I need it enable it through SSH. Not very elegant but at least it cannot be accessed. -
As long as you disable the anti-lockout rule, only your user-defined rules will allow access. If you still have access, one of your rules is overly permissive. If you add a block rule it has to come before any pass rules that would match.
-
This is how my rules look like.
The first rule is blocking all access to the firewall IP, but I can still access it from IP's that are not on the allowed list
