• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WebConfigurator and SSH Listen IP:port

Scheduled Pinned Locked Moved General pfSense Questions
3 Posts 2 Posters 2.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Derelict LAYER 8 Netgate
    last edited by May 21, 2013, 9:33 PM

    I would like to tell the web configurator and sshd to only bind to a specific interface.  I am setting up like this:

    2.0.3
    WAN = WAN
    LAN = Management
    OPT1 = GUEST1
    OPT2 = GUEST2

    Web configurator on port 8443, sshd on port 22.

    When I open a shell, and look at the listening ports, I see *:80 *:8443 and *:22

    I'd love to see management_ip:80, management_ip:8443, management_ip:22 instead like we can do with SNMP.

    I don't see any way to do this in the GUI. (2.1?)

    I edited /etc/sshd (adding ListenAddress) and /etc/inc/system.inc (Adding server.bind and the port 80 redirect to management_ip:80)

    This isn't working for me.  sshd isn't starting on boot even though the console message says it's starting..done.  I tried updating the pfSense_md5.txt with the right hash for /etc/sshd but no dice.  Running /etc/sshd manually starts the daemon.

    Is there something more elegant?  It would seem silly to have to have a block rule for every interface address on 22/80/8443 to achieve the same thing.  If I can adjust the listen address I can have one floating rule for all OPT/GUEST interfaces blocking traffic to the management subnet.

    Chattanooga, Tennessee, USA
    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
    Do Not Chat For Help! NO_WAN_EGRESS(TM)

    1 Reply Last reply Reply Quote 0
    • S
      sgtr
      last edited by May 22, 2013, 9:19 AM

      Hi,

      Firstly you should add managing ports and ip range to firewall which interface that want to permit to manage and then System > Advanced > Anti-Lockout must be checked.

      SGTR

      Bir umut olmasa bile Asla Pes Etme.

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by May 22, 2013, 6:43 PM May 22, 2013, 5:18 PM

        Yeah.  I use the initial LAN port as my management interface so the anti-lockout functions make sense.

        I've been looking at this more since posting and have decided it is better to simply create a port alias with 80, 8443, and 22 and enter a reject rule that prevents each subnet from accessing those ports on their own interface.  I already have to have rules that reject traffic, for example, from OPT1 to Management and OPT2 anyway.

        Way better than modifying 2.0.3, though the ability to bind admin services (webConfig/ssh) to a specific interface would be a welcome enhancement.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received