[SOLVED] WebGUI reachable from other not allowed interfaces

[fastboot]

Hi.

I am a little bit wondering about the behavior of my OPNsense installation.

The WebGUI is reachable from other networks via routing.
System - Settings - Adminstration
=> Listen interfaces: LAN

Surely the firewall would route e.g from WIFI-XYZ to LAN. On top of that it would be allowed if I open the flows.

Do I oversee anything? Is it my setup? Because the LAN interface is not dedicated to a NIC, it's configured as trunk to a switch.

To be honest I was expecting that also only the subnet of LAN would be allowed to connect. Not everything else which has a flow open to anywhere.

The WebGUI is listening on LAN (192.168.1.1 on Port 443) but not on WIFI (10.0.0.1 on Port 443) but it will be still routed for sure.


Is this an expected behavior?

[franco]

If you allow WIFI to access 192.168.1.1 (even if implicitly by allowing all) it will be able to access 192.168.1.1 just fine. That's one of the reasons why this only-bind-to-interfaces-is-more-secure is a myth. The firewall does the job if set up right. Nothing else will.


Cheers,
Franco

[fastboot]

Thanks for the clarification @franco

I set now a floating rule to forbid the flow.

[fastboot]

If you allow WIFI to access 192.168.1.1 (even if implicitly by allowing all) it will be able to access 192.168.1.1 just fine. That's one of the reasons why this only-bind-to-interfaces-is-more-secure is a myth. The firewall does the job if set up right. Nothing else will.


Cheers,
Franco

One remark: But this is a logic thing of OPNsense. In comparison with other FW (e.g Palo Alto, Checkpoint, Cisco ASA, .....) the Subnet of the Mgmt Interface (OOB) won't be routed to other vlans, interfaces.

But still -  Good to know.

[chemlud]

If I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)

[fastboot]

If I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)

Well... I have a lots of different subnets. And for some clients the traffic is surely allowed to reach the LAN, depending on the use case of the VLAN/Subnet. But I was still surpised, that its just routed.
Like already mentioned, this is a OPNsense design then. Because with any enterprise FW you do not have this behavior. For a good reason.

But maybe an additional Help-Text would be good to make this clear.
"Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care."
This is definitely not that clear. At least not to me. Because the initial connection was not coming from the LAN interface ingress.
If you know this behavior, sure its clear then.

[viragomann]

OPNsense gives you the preset alias "This firewall" to block access to the GUI on all its IPs and similar purposes.
You can use it in floating rules or in interface group rules to cover all sources with only a single rule.

[fastboot]

OPNsense gives you the preset alias "This firewall" to block access to the GUI on all its IPs and similar purposes.
You can use it in floating rules or in interface group rules to cover all sources with only a single rule.

I know. That is obviously what I wrote? 

[chemlud]

If I have two different interfaces with different subnets there usually is a good reason for this and therefore all (but very limited) traffic between these two interfaces should be blocked. Yes, it needs a block rule, that's **sense 101 ;-)

Well... I have a lots of different subnets. And for some clients the traffic is surely allowed to reach the LAN, depending on the use case of the VLAN/Subnet. But I was still surpised, that its just routed.
Like already mentioned, this is a OPNsense design then. Because with any enterprise FW you do not have this behavior. For a good reason.

But maybe an additional Help-Text would be good to make this clear.
"Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care."
This is definitely not that clear. At least not to me. Because the initial connection was not coming from the LAN interface ingress.
If you know this behavior, sure its clear then.

If you allow HTTPS to any, I see no good reason why this should not include any random LAN/VLAN in your setup. It might be "surprising", but it's absolutly covered by the general rules of logic ;-)

[fastboot]

If you allow HTTPS to any, I see no good reason why this should not include any random LAN/VLAN in your setup. It might be "surprising", but it's absolutly covered by the general rules of logic ;-)

Sorry, I have to disagree. Because the logic is not clear. Allow only LAN, means allow only LAN. LAN interface is bound to a subnet. So my assumption would be, that everything else != LAN can obviosuly not connect.
So the logic is here: It only listens on the LAN interface, but in fact, if not denied, any client in any attached network could reach the Mgmt Interface. So this is not limited to just the subnet where the LAN interface belongs to.

Thats the logic of any Enterprise Firewall with its OOB Mgmt. I never needed to configure a blocking rule for other subnets, as the MGMT IPs of the FWs were never reachable from any other subnet beside the Mgmt subnet.

[Patrick M. Hausen]

Don't mess with the listen interfaces, use proper firewall rules instead. That's part of the architecture.

If you allow e.g. 443 from interface OPT1 in it's irrelevant on which address/interface the UI is listening. You can reach all local addresses of OPNsense from OPT1 on port 443.

That's why there is a whole paragraph in the docs about the listen interfaces setting and why "All" is indeed recommended. It does not in anyway restrict from where the UI can be accessed. The same is true  for all other services.

Restrictions are enforced by firewall rules only.

HTH,
Patrick