Hello,
I’m working on hardening my home/home office OPNSense installation. I have a management VLAN set up, and an out of band management port with its own dedicated ethernet interface, so essentially I have two management networks.
My goal is to have the firewall accessible via SSH and HTTPS only on those two networks.
The guide I was using described the process of manually writing rules in the relevant network interfaces (a physical NIC and a VLAN in my case) to accomplish this, but after starting on this, I’m seeing SSH rules being auto-generated and now I’m confused. I want to make sure I understand what’s going on before I start adding rules.
I’ve only adjusted the SSH service so far, which has led to confusion, so I’ll start with that.
I already successfully adjusted the SSH listen interfaces (Settings > Administration) to only listen on the two interfaces I want, and I’ve tested that it works: clients attempting to connect via SSH to the firewall’s IP address on other VLANs and the actual parent LAN interface cannot connect via SSH. Success.
However, all the VLANs still have a pair of sshlockout auto-generated rules on them: one for my custom SSH port and one, oddly, for my custom HTTPS port for the web GUI. There’s also a matching floating rule:
The part that’s really confusing me is that these auto-generated rules look the same on VLANs where SSH is allowed, so I can’t tell the difference. I rebooted and I’m still seeing this.
It looks like changing the settings in the Administration area isn’t reflected in the firewall rules, which is … confusing.
So, a few questions:
- Is setting the listening interfaces in the GUI enough for SSH? That is, clearly I can’t connect on other interfaces anymore, but do I need further manually tweak the firewall rules?
- Moving past SSH, the process for limiting access to the web GUI per-interface is identical (select the interfaces out of the list, instead of using the default “ALL”). However, the default global Disable Anti-Lockout (Firewall > Settings > Advanced) is still disabled (default setting). So, I think that means that even after restricting the listening interfaces, the GUI would still be on my parent LAN interface, and I’d need to disable the anti-lockout to change that. Is that correct?
- Again, do I need to manually set up firewall rules before changing these settings, or are they handled automatically (apparently?) like the ssh rules?
Thanks. I’m trying to pull as much as I can from the docs, but this is all a lot to learn at once.