Project

General

Profile

Bug #6441

Unable to restrict access to management interface

Added by Damien Myracle about 4 years ago. Updated about 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
06/02/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:
amd64

Description

OS: FreeBSD 10.3-RELEASE-p3
Ver: 2.3.1-RELEASE-p1(amd64)

The goal: To restrict access from one of the subnets (OPT1) to a web-GIU of the PFsense.

The issue: Provided guide - https://doc.pfsense.org/index.php/Restrict_access_to_management_interface
no longer works because the web-GUI does not allow to specify the port(s) or an alias for the ports if and when the "Destination" set to "This firewall (self)".

Dev team, please take a look at this and if there is an alternative solution, please advise.

Thank you for your time.

1_Ports_aliase.png (104 KB) 1_Ports_aliase.png Damien Myracle, 06/02/2016 04:18 PM
2_rule_creation.png (110 KB) 2_rule_creation.png Damien Myracle, 06/02/2016 04:18 PM
3_rule_created.png (107 KB) 3_rule_created.png Damien Myracle, 06/02/2016 04:18 PM

History

#1 Updated by Jim Pingle about 4 years ago

  • Status changed from New to Not a Bug

I can't reproduce this. I am able to use a port type alias in the destination ports field when the destination is set as described. I am able to make an identical set of rules to those on the page as well. Post on the forum for assistance, it's likely that you have some other misconfiguration, such as having the alias in question set for the wrong type.

#2 Updated by Jim Pingle about 4 years ago

  • Priority changed from High to Normal
  • Target version deleted (2.3.1-p2)
  • Affected Version deleted (2.3.1)

#3 Updated by Damien Myracle about 4 years ago

Jim Pingle wrote:

I can't reproduce this. I am able to use a port type alias in the destination ports field when the destination is set as described. I am able to make an identical set of rules to those on the page as well. Post on the forum for assistance, it's likely that you have some other misconfiguration, such as having the alias in question set for the wrong type.

Hello Jim, thank you for looking at this. So I took a screen-shots do demonstrate my point:

Screen-shot #1: Alias for Port group is created and listed correctly under the: Firewall->Aliases->Ports

Screen-shot #2: Firewall rule been created, and as you can see on the screen-shot, the filed where you would enter the alias is grayed out and inaccessible for the editing.
If I choose "Host or a Alias" in drop down menu, I could start typing the name of the Alias name, but what actually shows up is alias for the "Networks" but NOT the alias I have created for the ports.

Screen-shot #3: List of the firewall rules where I can't replace the "*" with the alias for ports.

Please note... there is also an issue when I try re-arrange the order of the firewall rules (I think this is a separate ticket I should file). The rules can be dragged with the mouse, but as soon as you "let-go" of the rule, browser (Iceweasel "Firefox") prompts with a message "You are about to leave the page... Stay or leave?" and no matter what you choice is, one you come back to the firewall rules list, it's back to the same state, as of you have never re-arrange the order of the rules.

Clicking the save button is not possible because... well its just not clickable.

The browser I am using is Iceweasel 38.8.0 running on Debian Jessie 8.

Please advise. I still think this is bug, and as of right now, on my side as a user and the admin, i can't replicate the technique provided in the official doc's.

Thank you for your time.

#4 Updated by Chris Buechler about 4 years ago

It's not a bug, please post to the forum for assistance. You can't specify ports if the protocol isn't TCP and/or UDP.

#5 Updated by Damien Myracle about 4 years ago

Using Google Chrome Version 51.0.2704.63 (64-bit) allows me to rearrange the order of the rules for the firewall.

Using Iceweasel Version 38.8.0 (re-branded Firefox on Debian) it's not possible to save/retain changes of the rules sequence/order in the firewall rules list.

#6 Updated by Damien Myracle about 4 years ago

Chris Buechler wrote:

It's not a bug, please post to the forum for assistance. You can't specify ports if the protocol isn't TCP and/or UDP.

Hello Chris, if you take a look at the screen-shot I provided, it will show that protocol IS TCPv4+6, exactly the same as in the guide in documentation, and yet I still can't specify the alias for the ports.

So if I am following the documentation in the guide... and Web-GUI would not allow me to replicate what says in the guide... how is this not a bug? Or am I missing something?

#7 Updated by Chris Buechler about 4 years ago

no it isn't, it's protocol "any"

#8 Updated by Damien Myracle about 4 years ago

Chris Buechler wrote:

no it isn't, it's protocol "any"

Yes, I see it now. This is NOT a bug and this IS a 100% user error. I am so sorry for taking your time.

Please close this ticket, or ... do I close it? If yes... how do I do that?

One last question tho, should I file separate bug for the Web-GUI issue with the firewall rules re-arrangement when Iceweasel is used? Or it's a Iceweasel/Firefox (Mozzila) dev team issue and not PFsense dev team's issue?

Please advise... I it would be nice not to have to use Google Chrome for admin tasks on the firewall.

This version of PFsense is considered for a production, that's why I am vetting out potential issues ahead of the time.

Again, thank you for your time Mr. Buechler and the dev team.

Also available in: Atom PDF