Can't lock down Firewall Management?



  • Hi,

    I saw this guide as part of the "how to" series and thought it was a good idea to implement:
    https://doc.pfsense.org/index.php/Restrict_access_to_management_interface

    I've set up an alias of "ManagementHosts" which is specifed as the IP range 192.168.0.1 - 192.168.0.20
    I've then set up an alias of "ManagementPorts" which is just port 443.

    Copied the Firewall rules from the guide, but I still seem to be able to access the management GUI for a host outside that IP range, namely when I VPN in.

    Any ideas what I've missed?


  • Banned

    There's a been a request to be able to limit the lighttpd bindings. Got nowhere for years. Sigh.



  • Has nothing to do with bindings, if your firewall rules are right, it's restricted to the authorized source IPs. You implemented rules for LAN only if you strictly followed that guide, need to not permit or block on VPN interface too.



  • @cmb:

    Has nothing to do with bindings, if your firewall rules are right, it's restricted to the authorized source IPs. You implemented rules for LAN only if you strictly followed that guide, need to not permit or block on VPN interface too.

    Thank you, I'll give it a whirl (maybe when I'm home and not going over the VPN  :P).


  • Banned

    @cmb:

    Has nothing to do with bindings, if your firewall rules are right, it's restricted to the authorized source IPs.

    Yes. And I'm still completely unable to restrict the access when I disable packet filtering. It's possible with pretty much every damn thing out there, just NOT the web server for some absolutely mysterious reason. I can choose interfaces for DHCP, DNS, NTP, god knows what. But the webserver still will listen everywhere no matter what. Absurd.



  • @doktornotor:

    Yes. And I'm still completely unable to restrict the access when I disable packet filtering. It's possible with pretty much every damn thing out there, just NOT the web server for some absolutely mysterious reason. I can choose interfaces for DHCP, DNS, NTP, god knows what. But the webserver still will listen everywhere no matter what. Absurd.

    I'm not saying it's an unnecessary feature, in fact it'd be a great one to have, just that it's always possible to accomplish (with the exception of disabling packet filtering) as is.

    Pull requests welcome.


  • Moderator

    To accomplish that couldn't you change these variables?

    /var/etc/lighty-webConfigurator.conf

    server.bind  = "0.0.0.0"
    server.port  = 443
    $SERVER["socket"]  == "0.0.0.0:443" { }
    $SERVER["socket"]  == "[::]:443" {

    /etc/inc/system.inc

    1257        $lighty_config .= "server.bind  = "0.0.0.0"\n";
      1258        $lighty_config .= "server.port  = {$lighty_port}\n";
      1259        $lighty_config .= "$SERVER["socket"]  == "0.0.0.0:{$lighty_port}" { }\n";
      1260        $lighty_config .= "$SERVER["socket"]  == "[::]:{$lighty_port}" { \n";



  • Yes, but it needs a GUI control, and to apply equally to SSH. It is easy enough to hack the source if you want, just might be painful on upgrade.


Log in to reply