Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WEB GUI always accessible from WAN when in transparent mode

    Scheduled Pinned Locked Moved webGUI
    7 Posts 4 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drizzle
      last edited by

      HI,

      I was under the impression that if an access is not enabled then you cannot access it…
      I've configured pfSense (1.2.2) to be a transparent firewall using the good advice in http://pfsense.trendchiller.com/transparent_firewall.pdf
      Everything is working fine apart from that the WEB GUI can be accessed from anywhere. I've also tried all kind of rules to prohibit it but no luck.

      I've also tried to switch the UI to HTTPS mode with a self signed certificate, but that just rendered the UI totally unaccessible.

      Any idea or some additional information I could provide you guys to sort this out.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        You need to disable the anti-lockout rule under "advanced"

        But if you configure the pfSense as transparent firewall, then it shouldn't even have an accessible IP.
        You should have a separate management interface with a private IP and access nowhere except the pfSense webGui.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • D
          drizzle
          last edited by

          Yes that is disabled, but what you're saying is that i need to change the web UI to a private IP…
          Is ther no way of denying access to the UI if it is on a public IP?

          1 Reply Last reply Reply Quote 0
          • V
            Velociraptor
            last edited by

            just add a rule to the firewall that it should drop all coming from anywhere to the webgui port?

            action drop
            interface wan
            destination wan address
            destination port 80 or whatever

            should work ?

            1 Reply Last reply Reply Quote 0
            • D
              drizzle
              last edited by

              @Velociraptor:

              just add a rule to the firewall that it should drop all coming from anywhere to the webgui port?

              action drop
              interface wan
              destination wan address
              destination port 80 or whatever

              should work ?

              That was the very first thing i tried but it does not help, even if you add the rule anyone can still access the web UI.
              It seems that when in transparent mode the UI is not "behind" the firewall? Dont know…
              What I've done now is just plain "kill -9 lighttpd" and when I need it enable it through SSH. Not very elegant but at least it cannot be accessed.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                As long as you disable the anti-lockout rule, only your user-defined rules will allow access. If you still have access, one of your rules is overly permissive. If you add a block rule it has to come before any pass rules that would match.

                1 Reply Last reply Reply Quote 0
                • D
                  drizzle
                  last edited by

                  This is how my rules look like.
                  The first rule is blocking all access to the firewall IP, but I can still access it from IP's that are not on the allowed list

                  fw_rules.png_thumb
                  fw_rules.png

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.