Restrict management in an easy way



  • Hi,

    I have two firewalls with around 50 vlan interfaces, all with separate shared virtual IPs (Carp). All IPs are routed public ips, no nat.

    Is it an easy way to restrict management access to all the virtual ips without creating one large alias with all IPs added manually ?

    Now all new virtual ips can be used for management access from wan (or lan) as long as I allow web access to the subnets that is bound to the virtual IPs.

    Somthing like the alias in pf called "me" so I could just deny management access to "me" for all unpriveleged sources.



  • The "self" option in rules is for that purpose.



  • If I am not doing something wrong it does not include virtual ips (carp) in the self option ..

    So it works for the ips directly assigned on interfaces but not on the virtual ips.


  • LAYER 8 Netgate

    Seems to block CARP VIPs here. What exactly are you seeing that makes you think otherwise?



  • yeah it includes the VIPs as well.



  • Got it working now, I had forgotten to explicit block it instead of thinking that the default deny would do it.

    So all my fault, thanks for the help :)


Log in to reply