Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limiting web access to SSH port forwarding stopped working in 2.2.2

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bgeneto
      last edited by

      Until pfsense 2.2.1 I was able to restrict webgui access to ssh only via port forwarding by following the guide available here:

      https://doc.pfsense.org/index.php/Limiting_access_to_web_interface

      Unfortunately, after upgrading to pfsense 2.2.2 and changing "server.bind" to "127.0.0.1" in "/etc/inc/system.inc" I lost access to the webgui.
      Interesting is the fact that if I login to pfsense via ssh and change "server.bind" to "0.0.0.0" (save and restart) then the port forward starts to work again, but obviously the webgui is accessible worldwide (I'm deploying pfsense solely as a router, firewall and nat are disabled). Any help is welcome.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        If you disable the firewall, your port forwards won't do anything. That's always been the case. Disabling the filter disables all NATing ability which includes port forwards.

        1 Reply Last reply Reply Quote 0
        • B
          bgeneto
          last edited by

          Sorry for the misunderstanding… I meant ssh local port forward (or ssh tunnel), not pfsense pforward. The procedure is exactly the same as detailed in the mentioned pfsense docs link. But it first appeared to me that v2.2.2 had some regression and that referenced procedure (i.e. to bind webgui to localhost only) didn't work anymore. But thats not the case. I figured that this time there was another thing that I had to change in order to bind webgui access to 127.0.0.1 and that was to explicit set the port in "/etc/inc/system.inc", then the webgui access through ssh tunnel in v2.2.2 worked like a charm. Sorry for the inconvenience and thanks for this wonderful software!

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            The process is similar though not quite exactly the same in 2.2x's services.inc. Two lines to change there for IPv4:

            $lighty_config .= "server.bind  = \"0.0.0.0\"\n";
            $lighty_config .= "\$SERVER[\"socket\"]  == \"0.0.0.0:{$lighty_port}\" { }\n";
            

            To change 0.0.0.0 to 127.0.0.1. Then after making those changes in services.inc, run /etc/rc.restart_webgui to reload. Check the output of "sockstat -4" and "sockstat -6" to check its IPv4 and IPv6 bindings afterwards.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.