Netgate APU4

Author Topic: how to disable webGUI from console (SOLVED)  (Read 1035 times)

0 Members and 1 Guest are viewing this topic.

Offline enoch

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
how to disable webGUI from console (SOLVED)
« on: January 04, 2012, 04:06:43 am »
Hello,

I'm using webGUI to do initial configuration and after that I don't really need it. Box just sits on the network busy doing it's job*. It is only when it comes to do a firmware update when I need to log in via web GUI.

My reasoning is, and please correct me if my thinking is flawed,  that by disabling web server I could protect my box from somebody exploiting future vulnerabilities in the web server. Plus maybe free up some extra resources.

So is it possible do disable and enable web server from the console? Or is it too tightly integrated with the whole thing. I'm using pfSense as a perimeter firewall, it is doing NAT and acting as a DHCP server for my LAN.

* thanks pfSense team for such a stable product!
« Last Edit: January 05, 2012, 07:58:51 pm by enoch »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 16681
  • Karma: +374/-1
    • View Profile
Re: how to disable webGUI from console
« Reply #1 on: January 04, 2012, 12:45:35 pm »
Unless you opened up the GUI port on the firewall for people to access, then it isn't a threat. It's meant to be running all the time.

You could kill the lighttpd processes and then restart it with /etc/rc.restart_webgui, but that isn't recommended.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline enoch

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: how to disable webGUI from console
« Reply #2 on: January 04, 2012, 02:42:18 pm »
Let me clarify that I'm talking about blocking web GUI access from LAN too. Probably I'm a bit paranoid but there is really no need to anybody being able to poke around a web server installed on my firewall box.

Firewall rule would be a good solution for me I guess. If I disable the anti lock-out rule and then I put something like that at the very beginning of my rule set:
Code: [Select]
block in quick on $lan_if inet proto tcp from any to ($lan_if) port {http, https}But is it possible to enable/disable this rule via console when needed?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 16681
  • Karma: +374/-1
    • View Profile
Re: how to disable webGUI from console
« Reply #3 on: January 04, 2012, 02:44:06 pm »
No, the rules and everything are meant to be managed from the GUI. It isn't geared toward managing those things from the shell.

That said, you *could* do that rule, and then rely on ssh forwarding to get you into the GUI. (Just make sure your ssh forwarding works before activating that rule)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline enoch

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: how to disable webGUI from console
« Reply #4 on: January 04, 2012, 03:24:08 pm »
I will look into that solution. Thank you very much for your help.

Offline enoch

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: how to disable webGUI from console (SOLVED)
« Reply #5 on: January 05, 2012, 07:58:21 pm »
Just want to confirm that it works. Some extra block rules are required so that the traffic doesn't slip in with the default "pass any to any" rule.
I find this solution really neat and simple, a lot better than what I was originally asking for.