Allow webGUI access only from LAN interface

dhatz · Oct 20, 2011, 3:15 AM

I came across this article about pfsense's CP, where the author was looking for a way to block his CP users from accessing the webGUI and near the end adds "Update 6/7/2011- This above did not work the way I needed it - By blocking 443 on the guest wireless subnet it will also block any use of HTTPS out the firewall. So I am still searching".

Disallowing access to webGUI from certain interfaces sounds like a useful feature for e.g. public hotspots.

How about making the IP(s) to which lighttpd binds a configurable option, by adding server.bind ="lanip" to lighty-webConfigurator.conf ?

podilarius · Oct 20, 2011, 11:12 AM

The user did not specify his rule correctly or it would have. It needs to be like this.

Block … proto: tcp ::: source: WLAN Net port: any ::: destination: WLAN Address port: 443
Block ... proto: tcp ::: source: WLAN Net port: any ::: destination: WLAN Address port: 80

These rules need to be above the allow all rule. You can do the same on the LAN interface, but you will need to go and check the option to disable the antilock out rule. Please make sure that you have a rule that will allow access to your IP address or you will not be able to manage the firewall. this allow rule will need to be above the block rules.

dhatz · Oct 20, 2011, 4:01 PM

You are correct of course, that would be the best way to do it.
(in my defense, I wrote the first post at 3:00am local time ;D )