automatic lockout rule too general and cannot be unarmed
There is a rule that generates lockout for HTTPS clients that fail too many attempts on the pfsense web interface.
However that lockout is badly broken:
- It is not show anywhere on the webinterface, and cannot be reset without SSH'ing
- The source IP address is correctly set but the pf rule basically blocks HTTPS on all destinations, including those protected by the firewall
This issue made me lose 2 hours at home the first time, trying to understand why a device wouldn't go on the internet, and half an hour during a customer training, because a smartass tried to guess the admin password. I fixed it quickly because I already lost 2 hours on the exact same issue an other day.
- Disable this functionnality by default until it is fixed. Implement a recovery time so the admin can't get locked out. Issue an alert in the panel when a source address has been locked out.
Thanks for considering this report and keep up with the good work.