[SOLVED] Temporary disable DNS rebind and CSRF checks from CLI?

[simonv]

Hi,

I'm currently experiment with pfSense and opnSense to see which I like better. I successfully evaluated pfSense and now I want to try opnSense. My goal is to route all traffic to my Proxmox host through a router/firewall VM. My host is installed on a dedicated server with a public IP, I have no LAN access.

I setup the opnSense VM with a private LAN IP (10.0.0.1/24), then I setup NAT port forwarding from the host to the opnSense VM. This way I'm able to access the opnSense Web UI through the public IP of the host, but I immediately got to see the DNS rebind attack warning message.

I solved the DNS rebind issue by installing a nginx reverse proxy in another VM on the same LAN as opnSense, disabling HTTPS
(to avoid SSL passthrough issues) and setting up the appropriate port forwards to nginx instead of opnSense directly. Now I see the login form, but after login I get the "CSRF check failed" message. So many security layers... 

So my question is, can I somehow disable the CSRF checks through the command shell? In pfSense for example I was able to disable the dns rebind attack check through their php developer shell, but I didn't find anything similar in opnSense.
Or do you maybe have another idea how I could access the web UI without triggering dns rebind/CSRF warnings? (with the constraint that I have to use the public IP)

[simonv]

I figured it out. I noticed that the PHPSESSION cookie was not stored in my browser (Chrome) for whatever strange reason, even though the cookie was present in the response headers. So I tried it in Firefox, and it works! Chrome Incognito mode works strangely too. Anyway now opnSense complained about an invalid HTTP_REFERER, so I had to adjust the nginx config accordingly.

Here is the minimal nginx config I used to reverse proxy the opnSense web UI, in case anyone needs it. I used the snakeoil cert since it is just temporary.

Code: [Select]

server {
  listen 80;
  server_name your.domain.com;
  return 301 https://$server_name/$1; 
}

server {
  listen 443 ssl;
  server_name your.domain.com;
  ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
  ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

  location / {
    proxy_buffer off;
    proxy_set_header Host 10.0.0.1; # required to avoid DNS rebind attack warnings
    proxy_set_header Referer http://10.0.0.1; # require to avoid wrong HTTP_REFERER warnings
    proxy_pass http://10.0.0.1;
  }
}

But I'd still like to know if it is possible to disable the web UI security checks from the command shell or not.

[franco]

CSRF checks are not to be disabled and should be supported by all modern browsers and proxies. As for refer(r)er and DNS that can be disabled on the GUI (System: Settings: Administration), but it only makes sense if you can reach the GUI securely once.


Cheers,
Franco

[simonv]

Thanks, as I wrote the CSRF check failed because for some reason my browser didn't store the cookie. Restarting my browser solved the issue.