Is it safe to keep pfsense Web Interface open to the whole world?



  • Hi Guys,

    Is it safe to keep the HTTPs pfsense UI open to the whole world with a 20 character long password (pretty safe password)?

    I have SSH key generated and port is changed to non-default so that is pretty safe.

    Should I get to the web UI through an SSH tunnel rather than keeping it open to the whole world?

    What is the standard here?

    I am logging in from dynamic IPs sometimes, so static IP is out of the question.

    Thanks



  • The standard is to allow direct access to the webgui only from trusted addresses. For accessing the webgui from untrusted IPs setup a VPN (OpenVPN for example) or use ssh.



  • I would only do that via SSH port forwarding, or VPN. SSH + key only authentication is far better than password-only authentication of the web interface. Though with a 20 character password you're probably very safe, I would never recommend opening the web administration interface of any device to the entire Internet.



  • I haven't go the OpenVPN work it - Thanks to it's very complex setup process. Don't have the luxury of upgrading to 2.0 because it's beta version and that this router is in production, so have to hover around until I get OpenVPN working.

    In the meanwhile, if I use SSH tunneling to webGUI what if the SSH service of the router goes down? That would be still crazy as I will again lock myself out. Wouldn't I?

    Thanks



  • There is very straightforward documentation on setting up OpenVPN and the book has an excellent section on the subject.  I would encourage you to invest some time in learning to set up OpenVPN because its exceptionally useful for a variety of tasks, this one included.



  • @torontob:

    In the meanwhile, if I use SSH tunneling to webGUI what if the SSH service of the router goes down? That would be still crazy as I will again lock myself out. Wouldn't I?

    Yes but I've seen about every problem there is to see, and never seen that happen. There's a much higher probability that the web interface will become inaccessible or unresponsive (though virtually always only if you're messing with non-stable packages).


Log in to reply