Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restrict management in an easy way

    Firewalling
    3
    6
    892
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rfauske
      last edited by

      Hi,

      I have two firewalls with around 50 vlan interfaces, all with separate shared virtual IPs (Carp). All IPs are routed public ips, no nat.

      Is it an easy way to restrict management access to all the virtual ips without creating one large alias with all IPs added manually ?

      Now all new virtual ips can be used for management access from wan (or lan) as long as I allow web access to the subnets that is bound to the virtual IPs.

      Somthing like the alias in pf called "me" so I could just deny management access to "me" for all unpriveleged sources.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        The "self" option in rules is for that purpose.

        1 Reply Last reply Reply Quote 0
        • R
          rfauske
          last edited by

          If I am not doing something wrong it does not include virtual ips (carp) in the self option ..

          So it works for the ips directly assigned on interfaces but not on the virtual ips.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Seems to block CARP VIPs here. What exactly are you seeing that makes you think otherwise?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              yeah it includes the VIPs as well.

              1 Reply Last reply Reply Quote 0
              • R
                rfauske
                last edited by

                Got it working now, I had forgotten to explicit block it instead of thinking that the default deny would do it.

                So all my fault, thanks for the help :)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.