Personal tools

Restrict access to management interface

From PFSenseDocs

Revision as of 19:38, 14 February 2009 by Jimp (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

To enhance the security of your network, in many environments you will want to limit access to the management functionality of pfSense with the use of firewall rules. For reasons as to why, see the blog post Securely Managing Web-administered Devices.

The default configuration of pfSense allows management access from any machine on your LAN and denies it to anything outside of your network. There is also an anti-lockout rule enabled by default that prevents you from configuring firewall rules in a way that will lock you out of the web interface.

To restrict management access first ensure your LAN rules allow access to the port you are using for the web interface. This depicts the default LAN rule, which will let you into the web interface.

default-LAN-rule.png

If you use a restrictive ruleset on your LAN, make sure it permits access to the web interface before continuing.

Now disable the anti-lockout rule by going to the System -> Advanced page and checking the "Disable webGUI anti-lockout rule" box. Click Save and the rule will be removed.

disable-webgui-antilockout.png

Now I suggest adding a network alias for management access, and if you use both web and SSH administration, add an alias for those ports.

management-access-alias.png

management-ports-alias.png

Now add a firewall rule allowing the sources defined in your management alias to the destination LAN address, with the port used or alias created for those using multiple ports. Make sure this rule comes first in the list. Then add a rule based on that rule (the + next to the rule), changing action to block or reject (I prefer reject on internal networks), source to any, and destination the same. When finished your ruleset should look like the following.

restricted-management-lan-rules.png

Apply your changes and your management interface is now restricted to only the defined hosts.

This article is part of the HOWTO series.