If you are using a Pfsense Firewall, then you are probably aware that access to the management interface is allowed by default from all interfaces except the WAN
. To enhance the security of your network, in many environments access to the management interface should be limited with the use of firewall rules. For reasons as to why, see the blog post Securely Managing Web-administered Devices. With that said, below we will detail the steps required to limit access to the Pfsense administrative interface using basic firewall rules. First we will want to completely restrict administrative access from interfaces such as DMZ
or WLAN
. This can be accomplished with the rule pictured below. Below you will see that just above our interface allow rule, we have a rule that rejects access to PORTS_MGMT if the destination address is This Firewall. Note that PORTS_MGMT is an alias for ports 22, 80 and 443 and This Firewall is a builtin alias for your Pfsense Firewall. You will notice that every interface has a corresponding alias for its respective gateway address.
GWN
) interface.
LAN
interface allowing Pfsense management interface access from our management PC only and access for all others restricted. Below you will note that we have two rules, the first of which allows access to the management interface from the management PC and the second that restricts access to all others. 