Web GUI accessible from WAN interface

[OleRoel]

Not sure if this is the right place for the issue report.

After a fresh install I can access the web gui from outside my local network on the wan interface. This is extremely bad in my opinion, since this allows intruders to attack my network with brute force attacks and makes the firewall to an anti-firewall.

The web gui socket should bind to LAN interface(s) and not to the WAN interface.

[EugenMayer]

this is actually not the default and must be something else. Did you import a config, are you sure you did configure WAN/LAN right? In a default setup, you cannot access the GUI from WAN

[OleRoel]

This was a clean install on an ALIX 3 board. No configuration work afterwards, the block private networks flag on the WAN interface is enabled. I've already described the problem here: https://forum.opnsense.org/index.php?topic=4035.0 but without any response that helped me.

I am quite sure, that the problem must be on my side, but really have no clue, what ist can be. It is a clean install.

[Woi]

I can not reproduce this with a fresh install of OPNsense 17.1 nano on an alix2d13 with literally no more configuration then setting up PPPOE:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-09 17:15 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.15 seconds

and

$ nmap XXX -Pn

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-09 17:18 CET
Nmap scan report for XXX (X.X.X.X)
Host is up (0.0021s latency).
rDNS record for X.X.X.X
Not shown: 998 filtered ports
PORT   STATE  SERVICE
25/tcp closed smtp
53/tcp closed domain

Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds
$ 

[OleRoel]

This is what I get:

nmap XXX -Pn

Starting Nmap 7.00 ( https://nmap.org ) at 2017-02-09 17:29 CET
Nmap scan report for XXX.dynamic.kabel-deutschland.de (X.X.X.X)
Host is up (0.0034s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds

The thing is, that I am running a cable modem in bridge mode in front of my firewall and my ip address is not a real ipv4 but a magical ipv6 to ipv4 tunnel. But, on the other hand, OPNSense shows me a real ipv4 address and has nothing to deal with ipv6.

This is, what the "Interace List" on the dashboard shows:

WAN 1000baseT X.X.X.X

Where X.X.X.X is not in the private network range and has been used in the nmap scan above.

[af001]

Make sure you scan from a network outside of your WAN. You will see these open if you do. I normally use my phone's data connection (disconnect from Wifi). Navigate to your public IP and you should not be able to connect via HTTP or HTTPS.

[MrM40]

My GUI is also accessible from WAN. Have a rather default setup with LAN and WAN interfaces.
Using out-of-the-box FW rules.
I expected the default FW config would be "deny", but that seems not to be the case.
I don't have a FW rule allowing WAN -> OPNSense!
What is going on?

[fichtner]

@MrM40 Make sure to provide your test setup used to confirm this here for us to check. It is often a faulty assumption that leads to such inquiries...

[MrM40]

ups...my wifi had jumped to LAN, my mistake :-( Sorry for the inconvenience

[fichtner]

@MrM40 no worries 👍