Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question: When accidents happen - getting locked out…

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seanlee
      last edited by

      I have pfsense running on a 1u server in a production environment. I was curious as to how one would get into the firewall to undo a bad configuration value or rule. For example, on a Cisco router, you need to copy the "current config" to the live state in order for it to be activated on boot-up. So, if you apply a firewall rule that blocks you out, all you really need to do is reboot the router and it will automatically come back up in the "last good known" state (with all the rules but the ones you just added).

      The question is how would one achieve this kind of safe buffer with pfsense? How would you configure the firewall to allow you to always have soe type of access to the admin interface if you apply stupid rules to the LAN/WAN? Even if you have a 3rd interface for admin access, you could potentially apply a stupid rule that would block you out of your entire subnet.

      Comments/Suggestions?

      Thanks,

      -Sean

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        there is an invisible anti-lockout rule.
        (you can disable it under advanced)

        worst case scenario:
        you disable the anti-lockout-rule and then create a rule that locks you out.
        you then need to connect to the pfSense local, either through VGA/keyboard or per serial cable.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • S
          seanlee
          last edited by

          @GruensFroeschli:

          there is an invisible anti-lockout rule.
          (you can disable it under advanced)

          worst case scenario:
          you disable the anti-lockout-rule and then create a rule that locks you out.
          you then need to connect to the pfSense local, either through VGA/keyboard or per serial cable.

          Ahhh! Is this documented anywhere? Is it just a rule that allows * to WAN:80 or something?

          Thanks!

          -Sean

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            well it is documented in the GUI:

            Disable webGUI anti-lockout rule
            By default, access to the webGUI on the LAN interface is always permitted, regardless of the user-defined filter rule set. Enable this feature to control webGUI access (make sure to have a filter rule in place that allows you in, or you will lock yourself out!).
            Hint: the "set LAN IP address" option in the console menu resets this setting as well.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.