OpenVPN allows webConfigurator
-
Hi. New to this, wanted to solve other topic before entering more and more into the depths of rule mastering.
I like that I can enter the webConfigurator from home using OpenVPN. The strange thing is
I have added a LAN rule to
IPv4 TCP ManagementAccess * This Firewall ManagementPorts * none
And then went to System->Advanced and checked "Disable webConfigurator anti-lockout rule"
ManagementAccess only allows two IPs from the LAN to enter the webConfigurator, but I'm connected from home using OpenVPN (all default) and I can access and login to the webConfigurator.
Is that right?
Extending the question. When I create a VPN of any type shouldn't it add a new Interface with its own rules? Or everything that happens on the openvs1 acts as a local firewall address? (like firewall IP)
Thanks in advance.
-
OpenVPN firewall rules go to OpenVPN tab, not LAN.
-
Yes… they are there... I haven't seen them before. How could I... they have magically appeared after I read your message...
:-[
-
Typically you just add a rule under OpenVPN that allows all OpenVPN traffic and you're done.
After that you can just open the WebGUI across the tunnel by it's IP address just as if you were physically connected to it's LAN network.
No extra rules needed.
-
This is strange, in fact I can enter the webConfigurator from ANY host in the LAN…
I assume the first rule below which appeared by default is the one that allows that.
The rule above it is the one that I have added when removed the anti-lockout rule.
(see attachment)
I need to understand how this works... and I'll be abusing the forum for a while... in the good way.
-
That rule is completely pointless because you have a rule below it that allows any any.. which includes the stuff you have in your rule. There is nothing blocking traffic for stuff that is not your management access.
If you want it to be of any good you need rule below that says hey if your going to the firewall management ports - block. so if your in management access alias you rule would allow. But if your not in that alias then the next block rule would trigger if your going to pfsense management ports. If you were going anywhere else then the allow any any rule would allow you.
Or you could do it with 1 rule by using ! management access, block
-
This is taking me to a much prior stage of firewall configuration.
It is supposed that the first rule to rule them all is "Everything is blocked" (which is implicit and not shown) but then, the Firewall for each new interface creates this rule allowing everything.
Should I consider removing it?
-
It is supposed that the first rule to rule them all is "Everything is blocked" (which is implicit and not shown)
No, that's the LAST one. Please, read some docs on the wiki.
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting -
Yes sorry… the one on the "bottom" would be the right term maybe. I was saying it as "the first rule that exists"
-
only the first lan interface creates a any any rule by default. When you add more interfaces opt1, 2, 3 etc.. there are no rules other than the default deny rule.
Rules are evaluated top down, traffic into that interface. first rule wins
So while yes your rule would allow the traffic you want, the rule below it allows also allows it since its an any any. So your top rule is meaningless.
So while your rule would not trigger if I was not in your magement access alias going to pfsense management port. The next one would fire and let me in.
So would never get to the default deny.
So you need to put in a block below that rule for anyone going to your management ports that would trigger before the any any. Or you need to rewrite your rule to block people that are not in your management alias. Again first rule wins, rules below that not looked at once a rule matches criteria and either allows or blocks.
-
That's OK. Really clear and most of what I knew from other fire walls.
Now that I'm trying to make things tighter should I kill the any any default rule?
Not taking about the Web config anymore.
But as rule management. Should start a new thread I guess in the right sub forum
r
-
Generally, on interface rules that are evaluated top down - first match wins, if you want to limit what the users can do you go from most specific to least specific:
Pass what your users need to access - DNS to DNS servers, pings to gateway for troubleshooting/comfort, etc.
Block what you do not want your users to access - DMZ to LAN or other local networks, webConfig (don't forget WAN address or This firewall (self)), etc.
Pass everything else - (the internet)
