Recent Posts

Secure remote firewall administration via SSH

Using Web-based component to configure firewalls may not be secure. Vincent Danen highlights another way.


Most firewall systems contain a Web-based component that allows you to configure the firewall. This holds true for most entry-level firewall systems (Linksys, D-Link, etc.) and also open source firewall systems such as pfSense.

These systems tend to provide ways to access the Web interface remotely via the Internet; however, this should not be considered secure at all.

Instead, if there is a system on the inside of the network that you can forward a port to for SSH, you can then SSH into the box and use TCP forwarding to get to the firewall via the inside of the network. This has the advantage of authentication and strong encryption.

If the remote firewall has SSH running on it, you do not even need another internal system to SSH into; just SSH into the firewall itself.

On the remote system, edit ~/.ssh/config and add an entry similar to the following:

Host remotefw
  Hostname remotefw.remote.com
  User admin
  Port 522
  LocalForward 8888 192.168.10.1:80

This allows you to execute ssh remotefw on the command-line to connect to the host
remotefw.remote.com as the user "admin", on port 522. It will also forward connections on the local system's port 8888 to port 80 on the remote system 192.168.10.1 (the firewall). Note that the user to connect as (admin) is not for the firewall; this is the SSH, or local, user on the remote system.

Now point your browser to connect to http://127.0.0.1:8888 (use https if the firewall requires it). You should be prompted for the credentials to get into the Web-based configuration utility.

Once you are finished working with the firewall configuration, simply close the browser window and exit the SSH session.
If this does not work, chances are the remote SSH server has TCP forwarding disabled. You will need to connect to the remote system and, as root, enable the AllowTcpForwarding keyword and restart sshd.
The advantages to using TCP forwarding over SSH to access remote firewalls, instead of enabling and using remote administration in the firewall itself, should be self-evident. Using SSH, you can restrict access to users able to SSH in, and with the use of key-based authentication, brute password attempts to break in are non-existent. As well, it provides more security due to the SSH encryption.
I use this method of remote firewall configuration quite often. It allows me to configure remote pfSense firewalls for clients, and even the remote Linksys firewall at my mother's house (of course, she is also using Fedora at home, and I can remotely SSH in to access the firewall). The only pre-requisites are that the firewall forwards a port for SSH to a system on the remote network and that you have appropriate credentials to log in.
It also cuts down on unnecessary trips to remote offices or homes to do firewall tweaking or diagnostics, which is always welcome.