Anti-lockout rule too promiscuous?
I noticed that I could get into the webgui from the WLAN via the anti-lockout rule on the LAN. This because the source in this rule is "*".
I am aware of the standard way to restrict access to the webgui mentioned in the pfsense book. I'd rather not go to that extent; what I really want is to leave the anti-lockout rule in there but restrict the source to "LAN net" so that I can take any old computer and hook it up physically to the LAN to get the webgui. So this would be an intermediate level of security between the current default and the method in the book.
Of course I tried to edit the anti-lockout rule directly, but that didn't work too well. :P
I suppose that making such a change would make it impossible to SSH in to the webgui, but my guess is that people who are going to use SSH are probably going to disable the anti-lockout rule anyway. It seems to me the people keeping this rule in the set would appreciate it being a bit tighter than it is now, or at least the ability to make it tighter by directly editing it (in my opinion the latter is the less desirable course because the default is really for newbies, eh?).
Am I missing something here? Is there a way to tighten up this rule a bit, that I have missed? I suppose, just make a parallel rule and disable the default, but still the default seems too promiscuous.
That's not the rule that is applied. You need a rule on your WLAN, not LAN.
johnpoz LAYER 8 Global Moderator
huh?? So is your wlan on same interface as your lan?
There is no antilock out rule on your wlan interface. So if you don't want users from wlan getting to your web gui, put in a rule on that interface to not allow access.
I've never encountered "too promiscuous" before…
Back to firewalls... I agree johnpoz and doktornotor.
Sorry about not providing more context. I'm not a whiz at this stuff.
My WLAN and LAN are different interfaces.
I did of course start out with a rule on WLAN preventing access from "WLAN net" to "WLAN address", but found I could still get into the webgui. My conjecture was that it was happening through the LAN anti-lockout rule. Perhaps I jumped to the wrong conclusion? Anyway I can get into the webgui from my WLAN, which is something I don't want.
Oh, I recall I checked my conjecture by adding a rule on WLAN preventing access from "WLAN net" to "LAN address", which stopped the access.
Just in case this is not clear, I got my laptop on the WLAN, and in the browser entered not the pfsense "WLAN address" (which I had already blocked anyway), but the pfsense "LAN address". That got me into the webgui.
This must be on the interface where the traffic first hits the firewall, i.e. WLAN in your case.
Ah, "This firewall". I was scratching my head for a minute until I found out that was a 2.2 addition - I just got on 2.2 yesterday. Anyway I tried it, and it does the trick, better than calling it out for each interface.