Limiting web access to SSH port forwarding stopped working in 2.2.2



  • Until pfsense 2.2.1 I was able to restrict webgui access to ssh only via port forwarding by following the guide available here:

    https://doc.pfsense.org/index.php/Limiting_access_to_web_interface

    Unfortunately, after upgrading to pfsense 2.2.2 and changing "server.bind" to "127.0.0.1" in "/etc/inc/system.inc" I lost access to the webgui.
    Interesting is the fact that if I login to pfsense via ssh and change "server.bind" to "0.0.0.0" (save and restart) then the port forward starts to work again, but obviously the webgui is accessible worldwide (I'm deploying pfsense solely as a router, firewall and nat are disabled). Any help is welcome.



  • If you disable the firewall, your port forwards won't do anything. That's always been the case. Disabling the filter disables all NATing ability which includes port forwards.



  • Sorry for the misunderstanding… I meant ssh local port forward (or ssh tunnel), not pfsense pforward. The procedure is exactly the same as detailed in the mentioned pfsense docs link. But it first appeared to me that v2.2.2 had some regression and that referenced procedure (i.e. to bind webgui to localhost only) didn't work anymore. But thats not the case. I figured that this time there was another thing that I had to change in order to bind webgui access to 127.0.0.1 and that was to explicit set the port in "/etc/inc/system.inc", then the webgui access through ssh tunnel in v2.2.2 worked like a charm. Sorry for the inconvenience and thanks for this wonderful software!



  • The process is similar though not quite exactly the same in 2.2x's services.inc. Two lines to change there for IPv4:

    $lighty_config .= "server.bind  = \"0.0.0.0\"\n";
    $lighty_config .= "\$SERVER[\"socket\"]  == \"0.0.0.0:{$lighty_port}\" { }\n";
    

    To change 0.0.0.0 to 127.0.0.1. Then after making those changes in services.inc, run /etc/rc.restart_webgui to reload. Check the output of "sockstat -4" and "sockstat -6" to check its IPv4 and IPv6 bindings afterwards.


Log in to reply