How to prevent access to management interface from WLAN and DMZ?



  • I have three subnets isolated from each other by firewall rules:

    LAN 192.168.1.1/24
    WLAN 192.168.2.1/24
    DMZ 192.168.3.1/24

    I wan't only computers on the LAN subnet to be able to access the pfSense management interface. Now this can be reached from each subnet by https://192.168.x.1 (x = 1,2,3). Do I have to create addtional block rules for WLAN and DMZ to prevent access or is there a better solution?



  • Block rule on WLAN and DMZ is probably the easiest.  Just block them talking to LAN Address.



  • @KOM:

    Block rule on WLAN and DMZ is probably the easiest.  Just block them talking to LAN Address.

    It doesn't seem to work. On the DMZ interface I created a block rule (Source DMZ, Destination LAN Address). I'm still able to ping 192.168.3.1 from DMZ.


  • LAYER 8 Netgate

    That's because you didn't block access to DMZ Address - you blocked access to LAN address

    Here's what I might do:

    LAN 192.168.1.1/24
    WLAN 192.168.2.1/24
    DMZ 192.168.3.1/24

    Create a port alias called admin_ports.  Include tcp/80, tcp/443, tcp/22, and whatever you use.
    Create a network alias containing all your interface addresses, say:

    admin_addresses
    192.168.1.1/32
    192.168.2.1/32
    192.168.3.1/32

    Interface DMZ
    block source DMZ net dest admin_addresses ports admin_ports

    Don't forget your WAN address(es)
    block source DMZ net dest WAN address ports admin_ports

    Then pass whatever traffic you want.  For a DMZ you probably also want to block traffic to LAN and WLAN so it's look something like this:

    Interface DMZ

    block source DMZ net dest admin_addresses ports admin_ports
    block source DMZ net dest WAN address ports admin_ports
    block source DMZ net dest LAN net port any
    block source DMZ net dest WLAN net port any
    pass any any any

    Note that LAN address is included in LAN net so some of these rules are somewhat redundant.



  • @Derelict:

    That's because you didn't block access to DMZ Address - you blocked access to LAN address

    Here's what I might do:

    LAN 192.168.1.1/24
    WLAN 192.168.2.1/24
    DMZ 192.168.3.1/24

    Create a port alias called admin_ports.  Include tcp/80, tcp/443, tcp/22, and whatever you use.
    Create a network alias containing all your interface addresses, say:

    admin_addresses
    192.168.1.1/32
    192.168.2.1/32
    192.168.3.1/32

    Interface DMZ
    block source DMZ net dest admin_addresses ports admin_ports

    Don't forget your WAN address(es)
    block source DMZ net dest WAN address ports admin_ports

    Then pass whatever traffic you want.  For a DMZ you probably also want to block traffic to LAN and WLAN so it's look something like this:

    Interface DMZ

    block source DMZ net dest admin_addresses ports admin_ports
    block source DMZ net dest WAN address ports admin_ports
    block source DMZ net dest LAN net port any
    block source DMZ net dest WLAN net port any
    pass any any any

    Note that LAN address is included in LAN net so some of these rules are somewhat redundant.

    Looks like a good solution to the problem. I have created the aliases but when I try "Interface DMZ
    block source DMZ net dest admin_addresses ports admin_ports" I find no option to specify the ports. I use "Single host or alias" but I can find no place to fill in the alias for the ports.


  • LAYER 8 Netgate

    Change the port to other and put an alias in the box.



  • @Derelict:

    Change the port to other and put an alias in the box.

    I'm sorry. I can't find that box. In the "destination" field I have;

    any
    Single host or alias
    PPTP clients
    PPPoE clients
    L2TP clients
    WAN net
    WAN address
    LAN net
    LAN address
    DMZ net
    DMZ address

    Strange….


  • LAYER 8 Netgate

    No. In the port.  Select other and you can type an alias in the box to the right.



  • @Derelict:

    No. In the port.  Select other and you can type an alias in the box to the right.

    Under the "Destination" field there is a "Log" field. I search like crazy for a "Port" field but I'm unable to find it. Something is wrong. I'm doing this on the DMZ interface. Hmm…


  • LAYER 8 Netgate

    Sorry.  You have to set the protocol to TCP.



  • @Derelict:

    No. In the port.  Select other and you can type an alias in the box to the right.

    Wait! "Destination port range" appeared when I selected TCP under Protocol. Is TCP correct?



  • @Derelict:

    Sorry.  You have to set the protocol to TCP.

    Ok, I found out by myself  :)



  • It looks like it is working. I did the same on the WLAN interface. I can ping 192.168.2.1 from WLAN but I can't access the management interface. Is this enough to prevent access? Can other ports than I specified in "admin ports" (80, 443, 22) be used to access the management interface?


  • LAYER 8 Netgate

    No.  It listens on tcp/443 unless you change it.

    It also redirects from http://:80 to https://:443 unless you disable it.

    SSH listens on 22 if you enable it and don't change the port.

    If you're concerned about more than the management interface, then forget about blocking to the admin_ports and, instead, pass what you want (like ICMP and DNS) and block everything else.

    Like:

    pass TCP/UDP source DMZ net dest admin_addresses port 53 #Allow DNS
    pass ICMP source DMZ net dest admin_addresses  # Allow pings to DMZ address
    pass ICMP source DMZ net dest WAN Address # Allow pings to WAN address
    block any source DMZ net dest admin_addresses any #Block everything else to DMZ address
    block any source DMZ net dest WAN address any # Block everything else to WAN address
    pass any any any any #Pass everything else.



  • @Derelict:

    No.  It listens on tcp/443 unless you change it.

    It also redirects from http://:80 to https://:443 unless you disable it.

    SSH listens on 22 if you enable it and don't change the port.

    If you're concerned about more than the management interface, then forget about blocking to the admin_ports and, instead, pass what you want (like ICMP and DNS) and block everything else.

    Like:

    pass TCP/UDP source DMZ net dest admin_addresses port 53 #Allow DNS
    pass ICMP source DMZ net dest admin_addresses  # Allow pings to DMZ address
    pass ICMP source DMZ net dest WAN Address # Allow pings to WAN address
    block any source DMZ net dest admin_addresses any #Block everything else to DMZ address
    block any source DMZ net dest WAN address any # Block everything else to WAN address
    pass any any any any #Pass everything else.

    Thanks for helping me! I use the block rules you mentioned before to isolate WLAN and DMZ the only weakness I'm aware off was the exposed management interfaces. What about IPv6? Do I have to make separate block rules for that as well?


  • LAYER 8 Netgate

    Yes.  Here are the caveats for creating single rules for both IPv4+IPv6

    You can not assign a gateway to a rule that applies to IPv4 and IPv6
        You can not assign a protocol other then ICMP, TCP, UDP or TCP/UDP to a rule that applies to IPv4 and IPv6

    That protocol caveat means no "any".

    Looks like you might be able to change some of them to cover both stacks.



  • @Derelict:

    Don't forget your WAN address(es)
    block source DMZ net dest WAN address ports admin_ports

    For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?


  • LAYER 8 Netgate

    Yes.  It's easily overlooked.


  • Rebel Alliance Developer Netgate

    @Ip:

    @Derelict:

    Don't forget your WAN address(es)
    block source DMZ net dest WAN address ports admin_ports

    For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?

    @Derelict:

    Yes.  It's easily overlooked.

    On 2.2 this is easier as you can have a rule that has "(self)" as a target which is an internal pf Macro that means "any IP address on the firewall"



  • @jimp:

    @Ip:

    @Derelict:

    Don't forget your WAN address(es)
    block source DMZ net dest WAN address ports admin_ports

    For some reason I did not consider access to management interface from DMZ -> WAN at all. Is that even possible?

    @Derelict:

    Yes.  It's easily overlooked.

    On 2.2 this is easier as you can have a rule that has "(self)" as a target which is an internal pf Macro that means "any IP address on the firewall"

    Good to know. I'm looking forward to 2.2 and the new book :)


Log in to reply