Question: When accidents happen - getting locked out…



  • I have pfsense running on a 1u server in a production environment. I was curious as to how one would get into the firewall to undo a bad configuration value or rule. For example, on a Cisco router, you need to copy the "current config" to the live state in order for it to be activated on boot-up. So, if you apply a firewall rule that blocks you out, all you really need to do is reboot the router and it will automatically come back up in the "last good known" state (with all the rules but the ones you just added).

    The question is how would one achieve this kind of safe buffer with pfsense? How would you configure the firewall to allow you to always have soe type of access to the admin interface if you apply stupid rules to the LAN/WAN? Even if you have a 3rd interface for admin access, you could potentially apply a stupid rule that would block you out of your entire subnet.

    Comments/Suggestions?

    Thanks,

    -Sean



  • there is an invisible anti-lockout rule.
    (you can disable it under advanced)

    worst case scenario:
    you disable the anti-lockout-rule and then create a rule that locks you out.
    you then need to connect to the pfSense local, either through VGA/keyboard or per serial cable.



  • @GruensFroeschli:

    there is an invisible anti-lockout rule.
    (you can disable it under advanced)

    worst case scenario:
    you disable the anti-lockout-rule and then create a rule that locks you out.
    you then need to connect to the pfSense local, either through VGA/keyboard or per serial cable.

    Ahhh! Is this documented anywhere? Is it just a rule that allows * to WAN:80 or something?

    Thanks!

    -Sean



  • well it is documented in the GUI:

    Disable webGUI anti-lockout rule
    By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you in, or you will lock yourself out!).
    Hint: the "set LAN IP address" option in the console menu resets this setting as well.


Log in to reply