webConfigurator Options in pfSense

Today, I thought it might be interesting to look at some of the advanced pfSense settings. I will start this series by looking at the webConfigurator settings, which you can find by navigating to System -> Advanced, and clicking on the “Admin Access” tab.

webConfigurator Options


webConfigurator settings in pfSense 2.0

The first setting is “Protocol“. The default is HTTP, but you can choose HTTP Secure, which runs HTTP on top of the SSL/TLS protocol, enabling secure communications. Next is “TCP port“; here you can enter a custom port number for the web interface (80 for HTTP, 443 for HTTPS). This provides an extra layer of security, as you can use “security through obscurity” to hide the pfSense webConfigurator from others (this is especially valuable if, for whatever reason, you have to be able to access the webConfigurator from the WAN interface).

The next setting is “Max Processes“, in which you can alter the number of webConfigurator processes that are allowed to run simultaneously. Increasing the number of instances allows more users/browsers to access the GUI concurrently. Next is the “Disable webConfigurator redirect rule“. When this check box is unchecked, access to the pfSense web interface is always permitted from the WAN, even on port 80, regardless of the listening port is configured. Checking this box disables this access. If it is checked, access to the webConfigurator can be allowed, but only via an explicit rule and via NAT port forwarding.

The next setting is “Disable web configurator login autocomplete” When this in unchecked (the default), login credentials for the webConfigurator maybe saved by the browser. Checking this check box disables autocomplete on the login form so that browsers will not prompt to save credentials, but not all browsers respect this option.

Next is “Disable logging of webConfigurator successful logins“; when this is checked, successful logins to the webConfigurator will not be logged. When unchecked, “Disable webConfigurator anti-lockout rule” will allow access to the pfSense web interface regardless of what firewall rules are set. If this box is checked, then access from the LAN will still be possible if the web interface is set to port 80 and the default “Anti-Lockout Rule” is still in place (or if a rule is created to allow traffic on whatever port you choose). Make sure such a rule is in place before you check this box, or you could lock yourself out.

Disable DNS Rebinding Checks” when unchecked blocks private IP responses from your configured DNS servers. Sometimes, however, it may interfere with webConfigurator access or name resolution; if so, you can check this box so that such private IP responses will not be blocked. Below this, at “Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks“, you can specify alternate hostnames by which the router may be queried to bypass the DNS rebinding attack checks (hostnames should be separated by spaces). Finally, when unchecked, “Disable HTTP_REFERER enforcement check” will disable access to the webConfigurator from scripts that try to redirect traffic based on the HTTP_REFERER field. Checking this box disables this protection, which may help if you use external scripts to interact with the system.

External Links:

HTTP_referer at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy