Thursday, June 6, 2013

pfSense Remotely Circumvent Firewall Lockout by Temporarily Changing the Firewall Rules

pfSense Remotely Circumvent Firewall Lockout by Temporarily Changing the Firewall Rules

You could (very temporarily) disable firewall rules by typing:
# pfctl -d

Once you have regained the necessary access, turn the firewall back on by typing:
# pfctl -e

Alternately, the loaded ruleset is left in /tmp/rules.debug. You can edit that to fix your connectivity issue and reload those rules like so:
# pfctl -f /tmp/rules.debug

# less  /tmp/rules.debug | grep MyGatewayIP

After that, do whatever work you need to do in the WebGUI to make the fix permanent. (From billm in this forum post)

Note: 建議透過 WebGUI 去做 IP address and gateway 的改動,這樣正確的值才會寫到 /tmp/rules.debug,否則網路有可能就不通 (還是沿用舊 IP,新 IP 沒被寫入 rule 檔)。

Flush all (nat, filter, queue, state, info, table) rules and reload from the file /etc/pf.conf
# pfctl -F all -f /tmp/rules.debug

Report on the currently loaded filter ruleset.
# pfctl -s rules

Report on the currently loaded nat ruleset.
# pfctl -s nat

Report on the currently running state table (very useful).
# pfctl -s state

If you do not want to disable pf, but you still need to get in, you can run the following shell command to add an "allow all" rule on the WAN:
# pfSsh.php playback enableallowallwan

Note: This is VERY DANGEROUS to keep around, so once you have regained access to the GUI with proper rules, be sure to delete this "allow all" rule.

Add firewall rule at the command line with easyrule
You can use the command line version of easyrule to add a firewall rule to let you back in.

# easyrule pass wan tcp x.x.x.x y.y.y.y 443

That would pass in from the remote IP x.x.x.x to your WAN IP, y.y.y.y on port 443. Adjust as needed.

Remotely Circumvent Firewall Lockout With SSH Tunneling
If you blocked access to the WebGUI remotely (which is smart to do, anyhow) but you still have access with SSH, then there is a relatively easy way to get in: SSH Tunneling.

If the WebGUI is on port 80, set your client to forward local port 80 (or 8080, or whatever) to remote port "localhost:80", then point your browser to http://localhost:80 (or whichever local port you chose.) If your WebGUI is on another port, use that instead. Obviously, if you are using https you will still need to use https to access the WebGUI this way.

Here is how to setup a port 80 tunnel in PuTTY:

Fill out the options as shown, then click add. Once you connect and enter your username/password, you can access the WebGUI using your redirected local port.

No comments: