Where is the interface for anti-lockout rule defined?

[Patrick M. Hausen]

Where in the UI is defined which interface the automatic anti-lockout rule gets assigned to?
See screenshot, please.

Thanks!
Patrick

[bartjsmit]

Hi Patrick,

It's set on the interface you assign 'LAN' during the text part of the installation or afterwards through the interface assignment in console option 1.

You can see it in the UI through Firewall, Rules, LAN when you click on the small icon next to 'Automatically generated rules'.

If you'd rather roll your own, you can disable the built-in rule through Firewall, Settings, Advanced by ticking 'Disable anti-lockout'.

Obvious caveats apply - if you lock yourself out of the web/SSH interfaces, you'll have to roll back from the console option 13.

Bart...

[Fright]

Hi.
cannot be set in GUI imho
if I understand correctly OPN choose interface for this with logic in filter_core_get_antilockout() function (if noantilockout is not set):
https://github.com/opnsense/core/blob/8d245d6d13ef908584a2e5376ae50c7bd528446a/src/etc/inc/filter.lib.inc#L89
so it's lan or opt1 or even wan in a pinch

[Patrick M. Hausen]

Thanks!

[juere]

The interface is hardcoded in a function filter_core_get_antilockout()

Code Select Expand


    if (!empty($config['interfaces']['lan']['if'])) {
        $lockout_if = 'lan';
    } elseif (!empty($config['interfaces']['opt1']['if'])) {
        $lockout_if = 'opt1';
    } elseif (count(get_configured_interface_with_descr()) == 1 && !empty($config['interfaces']['wan']['if'])) {
        $lockout_if = 'wan';
    } else {
        return array();
    }


It will be "lan", "opt1" and "wan" in that order, "wan" only, if only one interface named "wan" exists.