Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to disable webGUI from console (SOLVED)

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      enoch
      last edited by

      Hello,

      I'm using webGUI to do initial configuration and after that I don't really need it. Box just sits on the network busy doing it's job*. It is only when it comes to do a firmware update when I need to log in via web GUI.

      My reasoning is, and please correct me if my thinking is flawed,  that by disabling web server I could protect my box from somebody exploiting future vulnerabilities in the web server. Plus maybe free up some extra resources.

      So is it possible do disable and enable web server from the console? Or is it too tightly integrated with the whole thing. I'm using pfSense as a perimeter firewall, it is doing NAT and acting as a DHCP server for my LAN.

      • thanks pfSense team for such a stable product!
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Unless you opened up the GUI port on the firewall for people to access, then it isn't a threat. It's meant to be running all the time.

        You could kill the lighttpd processes and then restart it with /etc/rc.restart_webgui, but that isn't recommended.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E
          enoch
          last edited by

          Let me clarify that I'm talking about blocking web GUI access from LAN too. Probably I'm a bit paranoid but there is really no need to anybody being able to poke around a web server installed on my firewall box.

          Firewall rule would be a good solution for me I guess. If I disable the anti lock-out rule and then I put something like that at the very beginning of my rule set:

          block in quick on $lan_if inet proto tcp from any to ($lan_if) port {http, https}
          

          But is it possible to enable/disable this rule via console when needed?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            No, the rules and everything are meant to be managed from the GUI. It isn't geared toward managing those things from the shell.

            That said, you could do that rule, and then rely on ssh forwarding to get you into the GUI. (Just make sure your ssh forwarding works before activating that rule)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • E
              enoch
              last edited by

              I will look into that solution. Thank you very much for your help.

              1 Reply Last reply Reply Quote 0
              • E
                enoch
                last edited by

                Just want to confirm that it works. Some extra block rules are required so that the traffic doesn't slip in with the default "pass any to any" rule.
                I find this solution really neat and simple, a lot better than what I was originally asking for.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.