Block and allow port 443?
-
I am trying to allow only one host 192.168.0.3 to access the LAN interface 192.168.0.1 port 443 of the pfSense box for administration. At the same I would also like to allow port 443 out for web browsing.
How can I both block and allow port 443? The following configuration allows all hosts on LAN net to connect to 192.68.0.1:443 for administration.
ManagementHosts=192.168.0.3
ManagementPorts=443
-
Above the third rule (the first one for 443) one that blocks access to the interface IP on port 443 for any host that is not in the ManagementHosts alias. You can then remove your current last 2 rules.
-
Thanks CH. Works perfectly. Here are the rules I implemented in case someone else has the same question:
Question: Why doesn't rule #3 block all access to port 443? If I have a host not in "ManagementHosts" accessing a web site over HTTPS, isn't the destination initially 192.168.0.1 because that is the interface it has to go through to be routed to the outside internet?
-
No, the destination is initially 443 on the original web host address. The router does the translation along the way when routing the packet for you. Hence, the firewall rules will check the initial source/ destination before deciding whether to route (pass) or drop the request.
