Why is file sharing not recommended on a pfSense box?

  • Hi, I have a server that was running FreeBSD that started giving me trouble with PF after upgrading to FreeBSD 12.1. So I thought I’d give pfSense a go.

    I am not able to find any file server services (ie AppleTalk, FTP, SMB, iSCSI, NFS) after installing and looking at the forums I see that a lot of people here are claiming it’s a bad idea. Can I know the reasoning behind this? A lot of modern consumer grade routers have USB ports that one can plug a USB hard drive in and use as a file server. Furthermore the machine I installed pfSense on has a 640GB hard drive and pfSense only uses a small chunk of that storage. It’s difficult to find drives of less than 120GB, especially for SATA connectors. I think of all the wasted space and cringe.

    I think pfSense should consider allowing file services on the server, since it is a common feature on many other consumer routers. Furthermore with proper setup (ie jailing and limiting the connection to LAN only) it would be quite safe.

    Additionally pfSense already has a TFTP server? Surely that’s more dangerous because it has zero authentication?


    The point is that a firewall should be only a firewall. If you start putting other stuff on it, you create possible security risks. Tftp is often used for booting up systems, including VoIP phones and so is often provided on the router, which pfSense is also.

  • Netgate Administrator

    Yup, that's not going to happen anytime soon. Ancient thread for reference time scale:

    If you want to make better use of your hardware put a hypervisor on it and run virtualised along with other stuff.


  • If you want to run a FreeBSD file server on your firewall (or vice versa), you can use XigmaNAS (was NAS4Free, was FreeNAS originally). It offers a firewall, on the normal install. But though I'm very happy with XigmaNAS as a Samba and DLNA server, I would much rather maintain separation of security services.

  • @JKnott if pfSense is also a router distro, then the reason to not include a file server is hypocritical. Like I said before, many other consumer routers have the ability. And if done right (ie jailed and have it’s listening ports constrained to LAN only) it can be as safe as if it wasn’t there. If security is the reason, then the TFTP server should also not be there (especially since one can upload and download files without any form of authentication whatsoever) and neither should the Squid proxy, which if misconfigured, can be and has been exploited by those desperate to get around region blocking and censorship (especially prior to the prominence of VPN), or even just to hide their tracks.

  • @RAMChYLD Because there's never any security issues on consumer routers...
    This says it best: "You go to Walmart and buy the cheapest thing that says 'REALLY REALLY FAST' on the box ... look at the router box real close. See any discussion about security on it? Nope. You won't. Why? Because they aren't secure because the real goal is that the dumbest person who opens the box be able to connect to the internet without them paying a tech support person for an hour to help you on the phone."

  • @RAMChYLD said in Why is file sharing not recommended on a pfSense box?:

    @JKnott if pfSense is also a router distro, then the reason to not include a file server is hypocritical.

    No, it's typical. While consumer gear may do that "real" routers don't. Take a look at one from Cisco, etc.. They will have TFTP available, as it's necessary to get some things going. Also, a firewall is part of a router's function from just about every brand I've seen. Routing is a function that's built into the operating system that routers use. Many run Linux.

  • pfSense is also an enterprise-capable firewall. I don't think you'd want to bet your real business on a Linksys or Asus from Walmart. Looking at it this way, you are getting enterprise-level performance and security for your home net at no required expense except what it takes to learn to manage it. Of course, being open source, you can always get creative and roll your own: https://github.com/pfsense/