WebConfigurator



  • Is it possible disable the webConfigurator on the WAN interface? If so, what steps are needed to complete this. I do wish to keep it open on the LAN interface.



  • For the LAN side you dont have to do anything there is a default anti-lokout rule on the LAN rules list.. Right on top.

    For the WAN side add a rule to Block or Drop any connections to port 80 / port 22 if you also need to drop SSH connections…

    put the rule right on top... of your WAN rules list



  • And by default all incoming connection attempts on WAN are blocked anyway. If your Firewall Rules WAN tab is empty, then there is no webConfigurator access from WAN side.


  • Banned

    Phil, enter into your browser

    https://YOUR.pfsense.WAN.IP

    from the LAN or OPT1 or whatever… ;-)



  • That is accessing the WAN IP from the LAN network. That works because the firewall rule/s on LAN allow everything. Ordinary rules in pfSense are processed on the interface on which the initiating traffic arrives. The LAN rule lets LAN users go to anywhere, e.g. HTTPS port on any public IP, and if that public IP is yours or someone else's it makes no difference to pfSense.

    But you cannot access anything by starting a connection from the WAN side (out on the big bad internet).

    If you want to stop the LAN side clients from accessing the webGUI then you have to put some appropriate blocking rules in place on LAN - remembering to block access to destination webGUI on all interfaces.


  • Banned

    To me this "feature" is absolutely counter-intuitive. If you want to block access to the pfsense from a local net, e.g. OPT1 or LAN, completely, I guess lots of people miss this point. It should be locked from the very beginning (GUI not listening on the WAN IP until further notice).



  • @2chemlud:

    To me this "feature" is absolutely counter-intuitive. If you want to block access to the pfsense from a local net, e.g. OPT1 or LAN, completely, I guess lots of people miss this point. It should be locked from the very beginning (GUI not listening on the WAN IP until further notice).

    Yeh, there has been discussion about this before.
    People might try:

    1. Add a separate management OPT1 interface with pass all.
    2. On the workplace LAN delete the anti-lockout rule, put a block rule at the top that blocks anything to destination LAN IP (thus blocking webGUI, SSH…)
    3. Have effectively pass all on LAN after that

    They think they have blocked webGUI access from LAN, but actually LAN users can get to webGUI on WAN IP or OPT1 IP.

    In pfSense 2.2. there is "This Firewall (self)" that can be used in rules (e.g. as destination for a block). Using that will block out all webGUI access to all interfaces.


Log in to reply