Need some quick shell ipfw help



  • Hi all,

    I just migrated my entire SO-HO setup from ipcop over to pfsense, its fabulous – the team have made a magnificent piece of software.

    Alas, the engineer who set it up is not so magnificent. Me. I totally forgot to allow inbound HTTP access to the web GUI! Idiot. I do have ssh access to the box, and can thus presumably add the appropriate rule via ipfw, which would then allow my inbound HTTP access. This is what I figured. I'm a UNIX guy, I can figure this out. This is what I came up with, given that the WAN interface is fxp0, and it's IP address is N.N.N.N. The IP I'm connecting from is X.X.X.X:

    ipfw add 01205 allow tcp from X.X.X.X to N.N.N.N dst-port 80 in recv fxp0

    This of course, does not work. Still no HTTP access.

    Ideas? Help? Being a Linux guy is no excuse I know..........

    Thanks so much!!!

    -Rick.



  • Where are you located

    • on the outside WAN world of your pfSense
    • on the inside LAN world of this box

    Since you can SSH to it, the box is alive.
    There is a default 'anti lockout rule' to the GUI from LAN. Unless you disabled it, you should have http access to your pfSense from there.
    No need to setup a rule yourself, someone else did that already…  ;-)



  • It's pf, not ipfw. You have to make your rule changes via the webGUI, otherwise they'll be overwritten. If your existing ruleset does not allow you into the webGUI, you can make temporary rule changes at the command line. Your running ruleset is /tmp/rules.debug. Info on changing it can be found here:
    http://www.openbsd.org/faq/pf/

    Don't do anything other than add a rule to permit access to the webGUI, then go into the webGUI and setup the same rule there, as well as whatever else you want. Editing the ruleset manually is unsupported and may cause problems, I strongly suggest having someone on the LAN side let you into the webGUI rather than doing this.

    You could use tunneling with SSH to get into the webGUI, that's probably a better and easier solution.


Log in to reply