WebConfigurator and SSH Listen IP:port
-
I would like to tell the web configurator and sshd to only bind to a specific interface. I am setting up like this:
2.0.3
WAN = WAN
LAN = Management
OPT1 = GUEST1
OPT2 = GUEST2Web configurator on port 8443, sshd on port 22.
When I open a shell, and look at the listening ports, I see *:80 *:8443 and *:22
I'd love to see management_ip:80, management_ip:8443, management_ip:22 instead like we can do with SNMP.
I don't see any way to do this in the GUI. (2.1?)
I edited /etc/sshd (adding ListenAddress) and /etc/inc/system.inc (Adding server.bind and the port 80 redirect to management_ip:80)
This isn't working for me. sshd isn't starting on boot even though the console message says it's starting..done. I tried updating the pfSense_md5.txt with the right hash for /etc/sshd but no dice. Running /etc/sshd manually starts the daemon.
Is there something more elegant? It would seem silly to have to have a block rule for every interface address on 22/80/8443 to achieve the same thing. If I can adjust the listen address I can have one floating rule for all OPT/GUEST interfaces blocking traffic to the management subnet.
-
Hi,
Firstly you should add managing ports and ip range to firewall which interface that want to permit to manage and then System > Advanced > Anti-Lockout must be checked.
SGTR
-
Yeah. I use the initial LAN port as my management interface so the anti-lockout functions make sense.
I've been looking at this more since posting and have decided it is better to simply create a port alias with 80, 8443, and 22 and enter a reject rule that prevents each subnet from accessing those ports on their own interface. I already have to have rules that reject traffic, for example, from OPT1 to Management and OPT2 anyway.
Way better than modifying 2.0.3, though the ability to bind admin services (webConfig/ssh) to a specific interface would be a welcome enhancement.
