Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WebConfigurator and SSH Listen IP:port

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      I would like to tell the web configurator and sshd to only bind to a specific interface.  I am setting up like this:

      2.0.3
      WAN = WAN
      LAN = Management
      OPT1 = GUEST1
      OPT2 = GUEST2

      Web configurator on port 8443, sshd on port 22.

      When I open a shell, and look at the listening ports, I see *:80 *:8443 and *:22

      I'd love to see management_ip:80, management_ip:8443, management_ip:22 instead like we can do with SNMP.

      I don't see any way to do this in the GUI. (2.1?)

      I edited /etc/sshd (adding ListenAddress) and /etc/inc/system.inc (Adding server.bind and the port 80 redirect to management_ip:80)

      This isn't working for me.  sshd isn't starting on boot even though the console message says it's starting..done.  I tried updating the pfSense_md5.txt with the right hash for /etc/sshd but no dice.  Running /etc/sshd manually starts the daemon.

      Is there something more elegant?  It would seem silly to have to have a block rule for every interface address on 22/80/8443 to achieve the same thing.  If I can adjust the listen address I can have one floating rule for all OPT/GUEST interfaces blocking traffic to the management subnet.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • S
        sgtr
        last edited by

        Hi,

        Firstly you should add managing ports and ip range to firewall which interface that want to permit to manage and then System > Advanced > Anti-Lockout must be checked.

        SGTR

        Bir umut olmasa bile Asla Pes Etme.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Yeah.  I use the initial LAN port as my management interface so the anti-lockout functions make sense.

          I've been looking at this more since posting and have decided it is better to simply create a port alias with 80, 8443, and 22 and enter a reject rule that prevents each subnet from accessing those ports on their own interface.  I already have to have rules that reject traffic, for example, from OPT1 to Management and OPT2 anyway.

          Way better than modifying 2.0.3, though the ability to bind admin services (webConfig/ssh) to a specific interface would be a welcome enhancement.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.