Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Anti-Lockout Rule for WAN

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    7 Posts 5 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rcfaR Offline
      rcfa
      last edited by

      Is there a way to create a non-deletable anti-lockout rule for the WAN interface?
      With an off-site installation, WAN access to the admin interface is more critical than the LAN side where only non-technical users might be located.

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        How about a VPN-account and then accessing the box from inside?

        btw. who of those non-technical users deletes your firewall-rules? :o

        1 Reply Last reply Reply Quote 0
        • rcfaR Offline
          rcfa
          last edited by

          @chemlud:

          How about a VPN-account and then accessing the box from inside?

          btw. who of those non-technical users deletes your firewall-rules? :o

          The problem with the VPN account, it's just as possible to kill/disable that as the firewall rules.
          The whole point of the anti-lockout rule is that it's quite difficult to delete

          As for the non-techical users: e.g. types setting up POS systems or security cameras….
          ...they think they know what they are doing, and next thing you know...

          More pressing for me, however, is that I'm soon going live with a pfSense box that only has a WAN interface, and it sits halfway across the country from here in some colocation space. So if I make one stupid move, I'm going to be off-line and can get ready to buy myself a plane ticket, book hotel rooms and a rental car to go fix it...
          ...so since I must have access to the configuration interface over the WAN in any case, I'd rather have that access undeletable.

          1 Reply Last reply Reply Quote 0
          • D Offline
            divsys
            last edited by

            @rcfa:

            More pressing for me, however, is that I'm soon going live with a pfSense box that only has a WAN interface, and it sits halfway across the country from here in some colocation space. So if I make one stupid move, I'm going to be off-line and can get ready to buy myself a plane ticket, book hotel rooms and a rental car to go fix it…
            ...so since I must have access to the configuration interface over the WAN in any case, I'd rather have that access undeletable.

            I agree completely about trying to preserve your connection to a colocated box.

            One really nice thing about this forum is it's an excellent source for some top notch talent.  If you find yourself trying to fix the box in "Plan B" mode (ie. road trip), it might be worth finding someone on the forum that's already in the same town as your colo space. The Bounty page could be cheaper/faster than going yourself.

            Just a thought, might give you a "Plan C"….

            -jfp

            1 Reply Last reply Reply Quote 0
            • R Offline
              razzfazz
              last edited by

              Get a box with IPMI?

              1 Reply Last reply Reply Quote 0
              • rcfaR Offline
                rcfa
                last edited by

                @razzfazz:

                Get a box with IPMI?

                not an option for price/power reasons. Just have a simple Intel Atom based system that doesn't support that. The typical server setup with IPMI would be total overkill here, would be nice though…

                1 Reply Last reply Reply Quote 0
                • A Offline
                  abyz
                  last edited by

                  I'm just thinking loud.

                  You can use a script that checks if the anti-lockout rule exists or not and add it manually if not and run this script every hour or day using cron package

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.