Prevent mod_security from exposing web GUI?



  • I've got a bit of a mess here. Have been using mod_security for a while now, apparently 0.2. After the last update it would not start. Tried everything, no go. Finally, armed with a backup I just removed it and reinstalled it. Well, apparently 0.3 installed. So its completely different and I have not gotten that to work yet but my real problem is, the Web GUI is exposed on the WAN!

    Apparently, port 80 needs to be open on the port that mod_security will listen on, but then that exposes the Web GUI. How do I absolutely, beyond a shadow of a doubt, prevent some problem with mod_security from ever, ever, exposing the Web GUI. This is a HUGE problem!!!. This needs to be intrinsically safe!



  • All right, lets put this another way, how can I prevent the Web GUI from binding to certain interfaces?… or more semantically correct, how can I explicitly set the list of interfaces it should bind to? Of the 7 interfaces, it should only bind to the management interface.



  • So, I was able to answer my own question after rephrasing it. This article https://doc.pfsense.org/index.php/Limiting_access_to_web_interface alludes to the answer. While it specifically talks about source filtering, which is not what I want, it goes on to describe binding lighttpd to the loopback adapter and using an ssh tunnel which is way more than I want, but therein lies the answer. server.bind is used to specify the interface address to use for binding, and I was able to change 0.0.0.0 to the IP of my management interface.

    Of course this means I'll have to re-patch this after every upgrade, but at least its intrinsically safe; errant rules and crashed modules can't expose the management interface.