Anti-Lockout Rule for WAN

rcfa

Is there a way to create a non-deletable anti-lockout rule for the WAN interface?
With an off-site installation, WAN access to the admin interface is more critical than the LAN side where only non-technical users might be located.

Guest

How about a VPN-account and then accessing the box from inside?

btw. who of those non-technical users deletes your firewall-rules? :o

rcfa

@chemlud:

How about a VPN-account and then accessing the box from inside?

btw. who of those non-technical users deletes your firewall-rules? :o

The problem with the VPN account, it's just as possible to kill/disable that as the firewall rules.
The whole point of the anti-lockout rule is that it's quite difficult to delete

As for the non-techical users: e.g. types setting up POS systems or security cameras….
...they think they know what they are doing, and next thing you know...

More pressing for me, however, is that I'm soon going live with a pfSense box that only has a WAN interface, and it sits halfway across the country from here in some colocation space. So if I make one stupid move, I'm going to be off-line and can get ready to buy myself a plane ticket, book hotel rooms and a rental car to go fix it...
...so since I must have access to the configuration interface over the WAN in any case, I'd rather have that access undeletable.

divsys

@rcfa:

More pressing for me, however, is that I'm soon going live with a pfSense box that only has a WAN interface, and it sits halfway across the country from here in some colocation space. So if I make one stupid move, I'm going to be off-line and can get ready to buy myself a plane ticket, book hotel rooms and a rental car to go fix it…
...so since I must have access to the configuration interface over the WAN in any case, I'd rather have that access undeletable.

I agree completely about trying to preserve your connection to a colocated box.

One really nice thing about this forum is it's an excellent source for some top notch talent.  If you find yourself trying to fix the box in "Plan B" mode (ie. road trip), it might be worth finding someone on the forum that's already in the same town as your colo space. The Bounty page could be cheaper/faster than going yourself.

Just a thought, might give you a "Plan C"….

razzfazz

Get a box with IPMI?

rcfa

@razzfazz:

Get a box with IPMI?

not an option for price/power reasons. Just have a simple Intel Atom based system that doesn't support that. The typical server setup with IPMI would be total overkill here, would be nice though…

abyz

I'm just thinking loud.

You can use a script that checks if the anti-lockout rule exists or not and add it manually if not and run this script every hour or day using cron package