I am exploring the option of deploying pfsense VMs as firewall appliances for my virtual network project and would like to set it up so that the appliance VM is completely locked down. That is to say, no way remains to reconfigure the firewall. Redeploying a new VM as an 'update' is the intention and there should be no way to modify the VMs settings one it is deployed.
The two main avenues for configuration seem to be the webGUI and the console. As far as the webGUI goes, access can be locked by firewall rule, so that isn't a big deal.
The console, though, seems a little more difficult to lock down entirely. I'm wondering what the gurus might have, idea wise. My primary target is making the appliance tamper proof, and I'm guessing that others have had the same need in the past.
Thanks in advance for your suggestions.
Add your VM to a pool that no administrator has access to. Then no one will have access to the console.
The console menu itself can be put behind user/password in system/advanced/admin access "Password protect the console menu" But if the machine can be rebooted by the VM admin, then afaik its possible to boot it to single user mode and change things..
Full disk encryption should stop single user mode from modifying things on reboot.
But this is only really valid if you are absolutely certain the system never need to reboot.
I'm probably going to wait on/upgrade to Generation 2 VMs (I'm on HyperV). There is a powershell command that renders the VM headless so the console is essentially inacessible (please correct me if I am missing something).
But that only applies to Gen 2 VMs.
I'm still exploring options, there are some avenues that seem worth investigating.
This looks like it might be a solution for you.
I haven't checked that directory on pfSense myself but being freebsd based its worth checking out.
Change the console line in /etc/ttys to "insecure" to signify that the machine is in a physically insecure location and require a password to enter single user mode.