How do I restrict Darkstat Access to only 1 LAN IP?



  • This seems very straight forward, but I'm at a total loss to determine why this does not work.  If I add a block rule on my LAN interface that blocks all connections from any LAN IP address to port 666 on PfSense's LAN IP address it does not work.  I've verified my rule order is correct.  In addition I'm using other block rules on the LAN side of the firewall (to block access to certain internet sites and services) which all work fine.  Does the LAN side of the firewall only apply to routed traffic and not inbound traffic to the firewall itself?  This is bizarre and doesn't make sense to me…  There also seems to be zero options for securing Darkstat in the Darkstat diagnostics configuration page.  I can't run this service with full access to anybody on my LAN.  Anybody else running Darkstat?  If so how do you lock it down?  Thanks in advance.



  • My guess is that you are falling victim to the 'anti-lockout' rule. Create rules to allow traffic to the web interface and ssh, then disable the lockout rule from the Advanced menu. I run Darkstat, but don't worry about locking it down- even if the users found it, I doubt they'd care or understand much.



  • Bingo!!  Thanks so much for the help.  I would of never figured that one out.  Hmm… It's my feeling that WebGUI Anti-Lockout should never automatically pass traffic on ports other than 80 and 443 (unless the firewall admin changes the listening port for the WebGUI service, which in that case WebGui Anti-Lockout should update itself to allow traffic into the new port).  The naming of this option to me is kind of deceptive.


Log in to reply