My fushion hub WAN side admin access on port 4343, does not seem to be following the rules of “inbound firewall rules”. Should it be controlled here? I have set a couple of specific services rules I want to filter access, which are observed. I have also set the default rule to Deny all, and if applied fully, I think would probably prevent the admin access and lock myself out. So I’m thinking the Admin port is given a free pass with Inbound rules?
Can admin access be limited to certain ranges?
Inbound Firewall rules are applied to inbound traffic that is defined in “Port Forwarding” but not traffic to FusionHub itself. Allow web admin access from defined networks is not supported by FusionHub currently. This feature already on roadmap.
Bumping this old thread, as given not all cloud providers let you set security policies their side it should be possible to firewall the admin interface on the fusion hub.
Or in cases when it’s managed by incontrol maybe disable direct access entirely.
We have studied the feasibility to implement this but it is not easy. We need to prevent the FusionHub to be “deadlocked”. For example, if there is a misconfiguration for the WAN of Balance router, we still can access it from LAN side. For FusionHub, it does have a WAN interface only by default. If there is a misconfiguration, there is no way to access the FusionHub anymore. Unless you access it from InControl2’s Remote Web Admin.
If there is a firewall in front of the FusionHub, it will be better to limit the access in the firewall.
Ultimately if I lock myself out of the fusionhub with a firewall rule then that’s my problem and in a lot of cases there’s always the VM console that could be used to reset/disable it.
Leaving an admin interface to exposed to world + dog because someone might lock themselves out is not acceptable from a security point of view.
As I said before some of the cloud providers do not have a network security policy option which means the admin interface is exposed directly to the internet.
Hi,
Thanks for the suggestion.
As a work around, you can configure FusionHub’s web admin allowed networks from InControl.
I’m not convinced that works, I set it to 192.168.1.1 as a test and could still login to the fusionhub
Edit: Ah it’s because I’m connecting though that fusionhub
