Disabling pfSense web ui on WAN (entered from LAN) and other VLANS
-
So a while back I saw a video on DNS rebinding attacks and the guy in the video tried to boil it down to: if you can reach the web gui from your LAN by typing in your WAN address (instead of the gateway IP) , than you are vulnerable. This currently works for me (I can reach the web ui login from a desktop on the LAN using my public ip).
So my questions are:
1.)Am I vulnerable truly, and if so how to I prevent it?
2.)How do I block access to the web ui from other vlans? I'd like it to only be accessible from the management vlan, and not getneral lan or my wireless vlan. Currently I can pull up the login from all vlans by typing each vlans gateway ip in.
Thanks for any help!
-
Why would a open up your WAN ports….DONT.
Block it with destination: this firewall.
And another suggestion is do disable redirect and run the webgui on different port.
-
The only ports open on my WAN are for services I'm using (SSH/FTP/HTTP/Torrents, etc).
I'm thinking you didn't quite understand what i was trying to say.
If I browse to http://My-Public-IP from outside my home I do not get access to pfSense web ui. It only happens when browsing to public ip from with in the LAN.
-
You could use an explicit rule allowing:
IPv4 TCP from LAN net * to LAN address ports 80, 443
-
So block those vlans from accessing firewall IPs on the management ports, 22, 80, 443, etc.
What do the rules look like on your vlans you don't want to access your web gui from?
So for example my guest wlan is locked down to only be able to ping the firewall on the interface in that vlan. And it can not access any other vlans either with the allow that says ! (not) my other local networks. in that alias.
-
As already noted above, you should block access to "This Firewall" management ports.
-
Pass traffic on This firewall (self) that you want people to be able to access (like DNS) then reject any to This firewall (self).
-
The only ports open on my WAN are for services I'm using (SSH/FTP/HTTP/Torrents, etc).
I'm thinking you didn't quite understand what i was trying to say.
No i do understand….you dont understand.
-
Maybe I'm truly misunderstanding something obvious and if so I apologize profusely. But all the methods above seem to me to address blocking access to the web-ui in-of-itself, which is perfect for restricting certain VLANS. But on some VLANS I ONLY want to block access to the web-UI from the LAN when http://75.76.xxx.xxx is entered. If http://192.168.1.1 (or w/e internal IP) is entered I WANT to be able to access the web-ui.
Here is the link to the videohttps://www.youtube.com/watch?v=0duYxPIx8gU describing dns rebinding attacks and that a router is vulnerable (at least according to the video) if the web-ui can be accessed by typing public ip into browser from LAN.
-
But on some VLANS I ONLY want to block access to the web-UI from the LAN when http://75.76.xxx.xxx is entered. If http://192.168.1.1 (or w/e internal IP) is entered I WANT to be able to access the web-ui.
So on those VLANs block just that destination instead of This firewall.
I, personally, don't see why it would matter - the webgui is the webgui - but knock yourself out.
-
You do understand unless you have opened up the wan rules that the webgui is not available from the actual wan. If your going to allow vlan X to access it via the vlan X ip address of pfsense - WTF does it matter if they can also access it via the wan IP from the lan side??
-
Honestly I don't know why there would be a difference either but im not a security researcher presenting at blackhat and the claim he made was that if the WAN IP can be used to access the web-ui from lan that you are vulnerable to DNS rebinding attacks. I was taking him at his word. Do you think this information is wrong?
