How to disable webGUI from console (SOLVED)

  • Hello,

    I'm using webGUI to do initial configuration and after that I don't really need it. Box just sits on the network busy doing it's job*. It is only when it comes to do a firmware update when I need to log in via web GUI.

    My reasoning is, and please correct me if my thinking is flawed,  that by disabling web server I could protect my box from somebody exploiting future vulnerabilities in the web server. Plus maybe free up some extra resources.

    So is it possible do disable and enable web server from the console? Or is it too tightly integrated with the whole thing. I'm using pfSense as a perimeter firewall, it is doing NAT and acting as a DHCP server for my LAN.

    • thanks pfSense team for such a stable product!

  • Rebel Alliance Developer Netgate

    Unless you opened up the GUI port on the firewall for people to access, then it isn't a threat. It's meant to be running all the time.

    You could kill the lighttpd processes and then restart it with /etc/rc.restart_webgui, but that isn't recommended.

  • Let me clarify that I'm talking about blocking web GUI access from LAN too. Probably I'm a bit paranoid but there is really no need to anybody being able to poke around a web server installed on my firewall box.

    Firewall rule would be a good solution for me I guess. If I disable the anti lock-out rule and then I put something like that at the very beginning of my rule set:

    block in quick on $lan_if inet proto tcp from any to ($lan_if) port {http, https}

    But is it possible to enable/disable this rule via console when needed?

  • Rebel Alliance Developer Netgate

    No, the rules and everything are meant to be managed from the GUI. It isn't geared toward managing those things from the shell.

    That said, you could do that rule, and then rely on ssh forwarding to get you into the GUI. (Just make sure your ssh forwarding works before activating that rule)

  • I will look into that solution. Thank you very much for your help.

  • Just want to confirm that it works. Some extra block rules are required so that the traffic doesn't slip in with the default "pass any to any" rule.
    I find this solution really neat and simple, a lot better than what I was originally asking for.

Log in to reply