Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PFsense web admin interface reachable from www, HELP!

    Firewalling
    3
    11
    1010
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mithrondil last edited by

      I just realized that my pfsense admin interface can be acessed from www by any would be intruder that knows my WAN IP.

      I need to fix this ASAP, can anyone help me?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Delete the firewall rule on your WAN interface that allows the traffic.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          Mithrondil last edited by

          Does this look ok?

          ![admin interface from WAN.jpg](/public/imported_attachments/1/admin interface from WAN.jpg)
          ![admin interface from WAN.jpg_thumb](/public/imported_attachments/1/admin interface from WAN.jpg_thumb)

          1 Reply Last reply Reply Quote 0
          • M
            Mithrondil last edited by

            I just checked, the admin interface is still accessable from WAN with the above WAN rules :(

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              Shouldn't be.  Are you sure you're seeing what you think you're seeing?  PM me your outside address.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • M
                Mithrondil last edited by

                PM sent.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb last edited by

                  It's not reachable by WAN with that config unless you have floating rules allowing it. Guessing you're probably trying from inside your network to your WAN IP, which isn't a valid test since that hits your LAN rules, not WAN.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    Yeah.  It's not accessible from the outside.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mithrondil last edited by

                      Step 1:
                      I disconnected from my home WI-FI network with my mobilephone and started using the public mobile network.

                      Step 2:
                      I typed in my WAN adress in the mobilephone webbrowser window and I got the pfsense login window.

                      ![admin interface from WAN2.1.jpg](/public/imported_attachments/1/admin interface from WAN2.1.jpg)
                      ![admin interface from WAN2.1.jpg_thumb](/public/imported_attachments/1/admin interface from WAN2.1.jpg_thumb)

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb last edited by

                        Assuming your WAN IP is probably the IP you're posting here from, no, it's not open, as Derelict confirmed. Guessing you weren't disconnected from wireless, or have a VPN into your network. Or your browser cached the login page and doesn't care whether it can still reach it.

                        1 Reply Last reply Reply Quote 0
                        • Derelict
                          Derelict LAYER 8 Netgate last edited by

                          Or the mobile phone provider cached it…

                          $ openssl s_client -connect 85.X.X.X:443
                          connect: Operation timed out
                          connect:errno=60
                          $ openssl s_client -connect 85.X.X.Y:443
                          connect: Operation timed out
                          connect:errno=60

                          Chattanooga, Tennessee, USA
                          The pfSense Book is free of charge!
                          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post