Webgui access from red

vapaa · 17 February 2020 17:28

hello,

can somebody explain me, what have i todo when i want access the webgui from the red site?
Current i dont have access to the webgui.

thx
vapaa

xperimental · 17 February 2020 17:57

Do that with port 444: https://wiki.ipfire.org/configuration/firewall/rules/port-forwarding/red_to_server_on_green

Source: Network RED -> Destination NAT -> Destination: Firewall ALL

Destination Port 444

baruch234 · 21 February 2020 13:54

Is there any need to expose IPFIRE’s administration GUI to everybody from outside the world? This would be very dangerous! - If you need to access your firewall from RED using a dedicated system (laptop e.g.) or a small number of systems: configure an OpenVPN roadwarrior-connection to GREEN and access the GUI from here - this would be the most secure way.

pike_it · 21 February 2020 14:24

I can agree with suggestions to @baruch234.
Until GeoIP worked correctly, i downsized the access to 444 port on RED only from IP of my country.
And for several reasons, do not expose admin interface is a nice and safe setup.

Therefore… if:

webgui is correctly designed for login in a secure way (I bet that’s so)
the password is a good one and not a crapword
you have a backup admin user without a “well known name”
you have backup of logs and config available
there’s a Fail2ban mechanism to avoid brute force (should be a nice add to IPFire)

keeping accessible the admin interface from internet is not a wise idea, but should not be like playing with lighter between tanks of gasoline

xeonium · 21 February 2020 20:40

Instead of fail2ban will guardian drop any failed login attempts above three
IMHO

xperimental · 22 February 2020 07:56

GeoIP is not working atm (list blank).

bbitsch · 24 February 2020 15:45

I think it is no good idea to search for a solution for admin access from RED. Administation should be done from GREEN ( or BLUE ). This is secure zone.
There are ways to allow access to LAN from outside for dedicated systems ( VPN, SSH tunnel ).
Use this to do a secure remote administration.

itechpro · 24 February 2020 19:32

I use the ssh login with “public key based authentication” only, and port forwarding for that purpose.

bbitsch · 26 February 2020 11:53

I think that is the exact description of my “SSH tunnel” topic. Didn’t use it for years.
Nevertheless, one should establish exactly one secured access from outside to the internal net(s) for dedicated persons/devices. Thus access can be monitored/administrated without much overhead and complexity.

vapaa · 3 March 2020 18:07

i found for me a solution
https://wiki.ipfire.org/installation/hetzner-cloud

troll-op · 18 August 2020 22:07

Hi Bernhard, do you have a link for the SSH tunnel discussion? Since the last update I cannot get it working. I would like to have it back as an alternative to VPN when/if it stops working (which it resently has done). Thanks