"If they find an issue with public key encryption, we're all in trouble and your firewall will be the least of your concerns." Something about that made me chuckle in fear lol.
Just a note, do not use port 222 or 5555 as given in the example. Both ports are commonly scanned for as well as many many others. For the most 10 most common scanned ports watch AT&T ThreatTraq Internet Weather Report ru-vid.com/group/PLq4ic8ODT5PfsdQ7XBnKqIa2FBLmwjanL . Also remember to use best security practices for SSH as it can allow access to any computer on any connected network not just the localhost.
If pfSense is in a virtual machine and the WAN IP of it is a private, example 192.168.1.23, you must disable "Block private networks and loopback addresses" under Interfaces/Wan in order to have the Firewall rules to work.
That seems like a solid idea. I've used openvpn to have a remote router "phone home" and it's stable but certainly a more involved setup. How are you setting up the remote sites to deal with dynamic IPs and what do you do for your password management as all of the remote sites are at localhost:port? is there an autossh package on pfsense to get it to phone home to you with a reverse tunnel setup?
How do you centrally manage and monitor your entire fleet of pfsense devices for outages and other issues? Also with public/private keys for SSH, how do you keep up with with all the keys on each firewall that's specific to each of your technicians? Is there a way you can orchestrate changes like for example if a technician had their computer stolen would you have to remote into each firewall individually and revoke the key or could you do it with a couple of clicks and push that change to every firewall at once?
We made a central management system for pfsense, based on SSH port forwarding. To be able to view all kind of information in one dashboard. Uptime states CPU mem backups, live icmp etc
FYI, from the start it's a good idea to temporarily disable SSHGuard/Login Protection before too many failed SSH logins happen. Don't ask me how I know. 🙂
if you configure a rule that allows access to https, it will allow anyway, despite ssh rule. I mean I can connect via browser before(without) connecting via ssh
This seems like a lot of work. Why not toss a ip on the loopback, create a ipsec tunnel to your network, this way you can manage the device at the far end from anywhere within your own management network. That way you can stay sanitized and not have ports opened etc. I understand the port is only opened from a particular source but this just seems like a lot of work.
@@LAWRENCESYSTEMS I needed to expose mysql to my friend, but I didn't want to install ssh on the mysql server because I'm going to moving it to a container eventually, so I rather him authenticate thorough the pfsense box. I came up with this, ssh -L 3306:(ip-of-mysql-server):3306 -p (random-port-for-this) (non-admin-pfsense-username-with-publickey)@(my-public-ip-address), I'm sure this not the right way to do this, but it does work. I would like to know how to properly set this up so they can have to authenticate before they can get access to a port. I was going to setup a second openvpn on pfsense but I figured that was overkill since only need to expose one port. Thank You
!!! Ho Li $#! +. There goes any hesitation I had for going all in on pfSense. I obviously don't know what I don't know. Any suggestions for an overview of things past the basics that Linux can do?
hey tom nice and great video, hoping that you have also a video on how to set up on windows command. I'm following your videos. More power and I hope sooner or later you read my comment. Keep Safe
teacher I am from Peru. I am a student. I would like if you could teach us from the beginning snort openaddid + pfbloquers. Excuse greetings from Peru and thanks for your videos
Great video, I'm having a bit of a problem hitting the localhost:5555 cant connect at all, do I need to add other rule beside the ssh allow on the WAN ? The admin access and the wan rule have been configured correctly Thanks guys
Okay, I have watched the video again and I have a question. Can I get a let's encrypt certificate for pfSense box? Will the same scripts work that I use on my debian based boxes? I do realize it is BSD based that's why I ask.
So you do need the private key to login to the server correct? because if someone had your IP and your public key they shouldn't be able to do anything is that correct?
@@LAWRENCESYSTEMS Yes, peehaps even to the point why if your private key is stolen on a laptop, you should revoke the existing public key from your servers and create a new the private key. Paranoid? Perhaps but nice to know that the servers you are responsible for are not accessible by ill-gotten means.
