weixin_39783156
2020-11-28 08:23 阅读 2

Web GUI accessible from WAN interface

Not sure if this is the right place for the issue report.

After a fresh install I can access the web gui from outside my local network on the wan interface. This is extremely bad in my opinion, since this allows intruders to attack my network with brute force attacks and makes the firewall to an anti-firewall.

The web gui socket should bind to LAN interface(s) and not to the WAN interface.

该提问来源于开源项目:opnsense/core

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

9条回答 默认 最新

  • weixin_39624733 weixin_39624733 2020-11-28 08:23

    this is actually not the default and must be something else. Did you import a config, are you sure you did configure WAN/LAN right? In a default setup, you cannot access the GUI from WAN

    点赞 评论 复制链接分享
  • weixin_39783156 weixin_39783156 2020-11-28 08:23

    This was a clean install on an ALIX 3 board. No configuration work afterwards, the block private networks flag on the WAN interface is enabled. I've already described the problem here: https://forum.opnsense.org/index.php?topic=4035.0 but without any response that helped me.

    I am quite sure, that the problem must be on my side, but really have no clue, what ist can be. It is a clean install.

    点赞 评论 复制链接分享
  • weixin_39913117 weixin_39913117 2020-11-28 08:23

    I can not reproduce this with a fresh install of OPNsense 17.1 nano on an alix2d13 with literally no more configuration then setting up PPPOE:

    $ nmap XXX
    
    Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-09 17:15 CET
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 3.15 seconds
    

    and

    
    $ nmap XXX -Pn
    
    Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-09 17:18 CET
    Nmap scan report for XXX (X.X.X.X)
    Host is up (0.0021s latency).
    rDNS record for X.X.X.X
    Not shown: 998 filtered ports
    PORT   STATE  SERVICE
    25/tcp closed smtp
    53/tcp closed domain
    
    Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds
    $ 
    
    点赞 评论 复制链接分享
  • weixin_39783156 weixin_39783156 2020-11-28 08:23

    This is what I get:

    shell
    nmap XXX -Pn
    
    Starting Nmap 7.00 ( https://nmap.org ) at 2017-02-09 17:29 CET
    Nmap scan report for XXX.dynamic.kabel-deutschland.de (X.X.X.X)
    Host is up (0.0034s latency).
    Not shown: 997 filtered ports
    PORT    STATE SERVICE
    53/tcp  open  domain
    80/tcp  open  http
    443/tcp open  https
    
    Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds
    

    The thing is, that I am running a cable modem in bridge mode in front of my firewall and my ip address is not a real ipv4 but a magical ipv6 to ipv4 tunnel. But, on the other hand, OPNSense shows me a real ipv4 address and has nothing to deal with ipv6.

    This is, what the "Interace List" on the dashboard shows:

    WAN 1000baseT X.X.X.X

    Where X.X.X.X is not in the private network range and has been used in the nmap scan above.

    点赞 评论 复制链接分享
  • weixin_39916360 weixin_39916360 2020-11-28 08:23

    Make sure you scan from a network outside of your WAN. You will see these open if you do. I normally use my phone's data connection (disconnect from Wifi). Navigate to your public IP and you should not be able to connect via HTTP or HTTPS.

    点赞 评论 复制链接分享
  • weixin_39854681 weixin_39854681 2020-11-28 08:23

    My GUI is also accessible from WAN. Have a rather default setup with LAN and WAN interfaces. Using out-of-the-box FW rules. I expected the default FW config would be "deny", but that seems not to be the case. I don't have a FW rule allowing WAN -> OPNSense! What is going on?

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 2020-11-28 08:23

    Make sure to provide your test setup used to confirm this here for us to check. It is often a faulty assumption that leads to such inquiries...

    点赞 评论 复制链接分享
  • weixin_39854681 weixin_39854681 2020-11-28 08:23

    ups...my wifi had jumped to LAN, my mistake :-( Sorry for the inconvenience

    点赞 评论 复制链接分享
  • weixin_39837607 weixin_39837607 2020-11-28 08:23

    no worries 👍

    点赞 评论 复制链接分享

相关推荐