Project

General

Profile

Actions

Feature #13777

closed

Better security for FW-management

Added by Louis B almost 2 years ago. Updated almost 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

IMHO pfSense should only be manageable via defined IP-addresses, and not via all GW-ddresses, like it is now.

You can manage pfSense via the gui, secure shell / ssh, the console. Assuming you block the console and/or an password it that will probably be sufficient.
However the GUI / Secure Shell protection can and IMHO should be better.

First thing to do there if you are using Secure Shell is to change the SSH-port number to e.g. 2222 so that it is not conflicting with other ssh. Second is the option to force an SSH-key.

My problem is that you can manage the firewall from every VLAN and as such change rules / protection from there. Assume as example you have a guest vlan. Users which where able to get a pfSense PW can manage pf-sense via: the GW of the guest-lan but also via the GW of all other vlans if not explicitly blocked.

Some form of protection is possible by changing the System / Admin Access / TCP-port number and blocking that port on every available vlan apart from the vlan intended as management vlan.

However, the simple option to tell the GUI / Secure Shell that it should only listen to addresses A,B and not to the rest, is regrettable not present !!!

So, I would love to see that simple but effective option added.

Actions

Also available in: Atom PDF