How to secure pfSense system?



  • How to secure pfSense system? My network will only be as secure as how I configure the firewall and how secure the pfSense system is.(assuming I'm using pfSense as firewall)

    But how can I secure pfSense? Does pfSense have any back doors? How can I verify it doesn't? Configuring the pfSense firewall through web gui from another system seems to compromise the pfSense firewall, because the other system might have a back door or malware.

    Hardware wise, how can I mitigate hardware back doors in processors from Intel or AMD.



  • All these questions boil down to one simple answer : build your own hardware. Develop your own software. Done.
    And also : do not connect to networks that you do not trust (like, the Internet) and do not accept devices that you do not trust (your own networks).

    Or learn what routers / firewall actually do. This technology has been downgraded from "rocket science" to "your basic daily need to know knowledge" since the seventies (last century) . Also : the Internet talks a (an awful) lot about this stuff. This enables you to eliminate these questions also. Because you can easily check what comes in and goes out. This is a standard 'network admin' requirement btw. As you can't drive the car with out - at least - a license that says you did follow some 'education'. to do so.
    Because, as without the license, the big and foremost danger ... will be you.

    Btw : backdoors .... while hundreds of thousands are using it .... If that was so - and I admit that I can't be sure for 100 % - Nertgate might as well pull the economical bulletin through it's head.


  • Netgate Administrator

    Configure it to allow the traffic you need and only that.
    https://docs.netgate.com/pfsense/en/latest/book/firewall/firewall-rule-best-practices.html

    It doesn't have a back door but you can review the code yourself to be sure:
    https://github.com/pfsense

    Setup a management station to configure it from. Use it for nothing else. Run live Linux.

    Use something running opensource firmware like Coreboot.

    Not much more you can do.

    Steve



  • @securityconcerned Your security concerned name and questions imply troll.


  • Netgate Administrator



  • Probably several troll indeed.
    We're close to the main 'moral of live' questions here.

    Do not worry about stuff you don't know about. Live becomes impossible if you do.
    Do not use what you don't understand is also practical solution (no joke intended here).
    But .... stuff like PHP is 'mastered' these days by 'less then 10 years old'. And few of them finished Havard or something like that to do so.
    So, want to read and understand (because you don't trust the translator) Chinese ? Learn Chinese !

    Great.
    It's Friday and I'm also trolling .... not good.

    PS : @stephenw10 ; why Github , I have a local live and working copy : I can actually "see" what it is doing what it should do - and test it if I have doubts or questions ;)


  • Netgate Administrator

    That's true for anything written in script for compiled code you need to check the source. 😉

    Steve


Log in to reply