Feature #13777
closedBetter security for FW-management
0%
Description
IMHO pfSense should only be manageable via defined IP-addresses, and not via all GW-ddresses, like it is now.
You can manage pfSense via the gui, secure shell / ssh, the console. Assuming you block the console and/or an password it that will probably be sufficient.
However the GUI / Secure Shell protection can and IMHO should be better.
First thing to do there if you are using Secure Shell is to change the SSH-port number to e.g. 2222 so that it is not conflicting with other ssh. Second is the option to force an SSH-key.
My problem is that you can manage the firewall from every VLAN and as such change rules / protection from there. Assume as example you have a guest vlan. Users which where able to get a pfSense PW can manage pf-sense via: the GW of the guest-lan but also via the GW of all other vlans if not explicitly blocked.
Some form of protection is possible by changing the System / Admin Access / TCP-port number and blocking that port on every available vlan apart from the vlan intended as management vlan.
However, the simple option to tell the GUI / Secure Shell that it should only listen to addresses A,B and not to the rest, is regrettable not present !!!
So, I would love to see that simple but effective option added.