Block server manager from internet

Support
1

NethServer Version: 7.9.2009

Hello,

I have a problem to block server manager from internet (red interface). Also if I deny server manager access from wan into settings tab, I’m always able to get access to myip:9090 from internet.

Do I miss something?

Schermata 2021-07-07 alle 06.42.58
Schermata 2021-07-07 alle 06.42.58715×401 23.7 KB

Thank you for any feedback

2

@Egy87

Hi

And welcome to the NethServer Community!

You’re using the old NethGUI, also called Server Manager, (Port 980), not the newer Cockpit (Port 9090). The old NethGUI (Can still be used) doesn’t know about the newer Cockpit, it only blocks it’s own access from the Internet. If you use the newer Cockpit to set the access Option, you can block access to Port 9090 from the Internet…

My 2 cents
Andy

3

Did you take a look to the screenshot, dude? I think you’ve missed a cup of coffee this morning :wink:
Hi @egy87, AFAIK there’s also should be another place where you can restrict the access to Cockpit, and it’s placed here.

image
image755×287 7.89 KB

where you can specify an eventual set of pubblic IP addresses that should access to administrative interface.
I am assuming that after switching off RED access you clicked saved and you tried to access “from scratch” from a external device (eg. a private tab from a smartphone/tablet)
(moreover… i’m italian, but most of the community is not!, so please, post screenshot in english :wink: cockpit is easily translated with a couple of clicks and you can switch back to italian in the same way)

2 Likes
4

@pike

Yes, was a bit early this morning…
Long day, 2 - 3 hours from home today… :frowning:

My 2 cents
Andy

5

Hi @pike, please take a coffee with @Andy_Wismer :joy:
It’s the same place as @Egy87 described, if you enable the access, you get the field to enter the IP.

@Egy87 Can you tell us something about your network configuration? Do you have a green and a red LAN?

1 Like
6

IDK if he likes my flavour…
image
(sorry for the joke)

2 Likes
7

First of all many thanks to everyone for your feedback.

My goal is to block cockpit connection from all ip (except green interfaces), because the red interface of server is in DMZ of router, and basically the red interface is directly expose to internet. I don’t want that someone try to access to cockpit from internet.

After set as my screenshot and save, I tried to connect from my phone via 4G and I was able to get cockpit and access into.

I also try to use a firewall rule that block port 9090 for red interface, but also this solution didn’t work.

So, is there some things else to do? Or some configuration file to edit via terminal?

8

@giacomo might be a bug regression emerged?

9

I do not think so: that part of code has no recent changes.
I just did a quick test

--- /etc/shorewall/rules.open	2021-07-08 08:59:04.423612421 +0200
+++ /etc/shorewall/rules.close 2021-07-08 08:59:21.527846374 +0200
@@ -608,7 +608,6 @@
 #
 ?COMMENT cockpit
 ACCEPT	loc	$FW	tcp	9090
-ACCEPT	net	$FW	tcp	9090
 
 #
 #	Service: bandwidthd Access: NONE

Why are you thinking about a regression?

It seems to me a bad configuration somewhere (router, cable, etc…)

10

Might be an option too… Currently not able to test/verify issue if can be replicated.
@Egy87 would you please share your firewall configuration via screenshot? mask public ip addresses, and please, also show us the network configuration.

3 Likes