Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is a read-only installation possible?

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 6 Posters 1.3k Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 0 Offline
      0d35
      last edited by

      Wondering whether it's possible to set up a pre-configured read-only pfSense installation?

      In this case, read-only would mean running pfSense on a hardware write-blocked drive. I'd be thinking of doing this to prevent any form of malware/exploit persistence should any get onto the system.

      Would this be possible? Thanks

      M GertjanG 3 Replies Last reply Reply Quote 0
      • M Offline
        mer @0d35
        last edited by

        @0d35 others may have better information, but doing so I would make sure you have enough RAM because you need some writeable space for things like logs (unless you set it up for remote logging).

        1 Reply Last reply Reply Quote 0
        • GertjanG Offline
          Gertjan @0d35
          last edited by

          @0d35
          The short answer would be : No, you don't want to do that.

          The long answer is : When looking at the config :

          17ce5d91-1b7f-46cf-b1fd-648ad6c83ffd-image.png

          you should read the fine print first.

          Modern storage devices (SSD) don't really wear out any more, they have a live span as long as classic hard disks ( I take in account the pfSense disk usage).

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          0 1 Reply Last reply Reply Quote 0
          • 0 Offline
            0d35 @Gertjan
            last edited by 0d35

            It seems like it might be possible then? I'm not fussed about logging or monitoring for now as that can be done externally. Though it looks like /var does contain some important things (such as package configurations), so a RAM disk wouldn't suffice here as the data would be lost when restarted.

            My intention would be to pre-configure the packages prior to installation and then symlink the /conf directory to an external read-only network share? Blocklists could be updated from an external device to the config.

            Not sure if this would all work though? The intention would be such that after every restart it would effectively be a clean install. Though obviously updating pfSense and its packages would be the tricky part.

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @0d35
              last edited by

              @0d35 said in Is a read-only installation possible?:

              /conf

              Typically, the 'config.xml' is rewritten to disk rather often - like a couple of times a day, or far more, depending your settings used.
              Several pfSense packages do not us the RAM drive storage at all, and do use the drive where pfSense is installed on.

              Way back in the past, pfSense was installable like your average 'NetGear' or 'ISP router' like device : a minimal of non volatile memory for the config, and the rest was burned into ROM like memory.
              These device still exist these days.
              pfSense is a complete (no trimmed down) operating system ( FreeBSD ) and needs a disk like device, and RAM.
              Again, it might be possible, but why bother ?
              A small 'good brand' SSD, 100 Gbytes M2 is access expensive as like 30 $/โ‚ฌ. That's as expensive as a 'good known brand' USB drive that will die on you much faster. Both are very low power. The SSD is way much faster, and just a little bigger in physical size.
              pfSense is all about flexibility and boatloads of options.
              Which means : a lot of updates, because a lot of code = a lot of bugs = a lot of updates.
              So you want a 'a simple as possible' method to maintain the system.
              So that's where it went : the devices became more classic == less expensive.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • M Offline
                mer @0d35
                last edited by

                @0d35 said in Is a read-only installation possible?:

                I'd be thinking of doing this to prevent any form of malware/exploit persistence should any get onto the system.

                This is the stated reason for OP asking this question.
                I think there needs to be a corallary question asked:
                How likely is an exploit against pfSense likely? Persistent or not?

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @mer
                  last edited by johnpoz

                  @mer said in Is a read-only installation possible?:

                  How likely is an exploit against pfSense likely? Persistent or not?

                  Not very if you think about it.. Pfsense is not some user pc who is haphazardly clicking anything shiny that presents it self, downloading who knows what from were and executing it as an admin account ;)

                  So for such a thing to happen there would have to be some sort of RCE against some service running on pfsense that is listening for connections. So such services would be like sure the web gui, ssh - these should be normally limited access to only trusted admin devices. Other services like dns, ntp, etc. Which would be open to a wider audience, but still should be only your local trusted network. If your local network has been compromised to a point there is code running on it looking for RCE of other services on your network - you prob have bigger fish to fry..

                  Now not saying such a thing isn't possible - but I have never heard of such an exploit to pfsense in the past. It would be a very serious nature that is for sure. And wouldn't be something you wouldn't hear about ;)

                  I have to believe there are much lower hanging fruit to worry about in your overall security stance vs trying to setup some read only filesystem for your firewall, on the off chance it somehow got exploited..

                  Could prob write a book of stuff to do to increase your security before would get to - hey can we make pfsense filesystem read only ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  0 1 Reply Last reply Reply Quote 1
                  • 0 Offline
                    0d35 @johnpoz
                    last edited by

                    I am admittedly taking a defence in depth approach to the situation, but very true points :)

                    I've set up rules such that any client device not in the management VLAN is unable to access any service running on pfSense so no exposure to network services on that front (I've also tried to prevent VLAN hopping).

                    An unlikely possibility could be that when updating blocklists, the blocklist source becomes compromised and redirects to a malicious download which consequently gets downloaded to the pfSense installation. Not sure how those files would be executed though, but the fact is nonetheless that there is a file on the system which you don't want :)

                    1 Reply Last reply Reply Quote 0
                    • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      Waaaay back in the day m0n0wall used to run from a CD using floppy disk to hold the config. I think that was my first experience using it. More recently the NanoBSD images we used for pfSense ran read-only with a separate config partition.
                      But, no, in current pfSense it's not practical to run entirely read-only. In my opinion at least.

                      Steve

                      S 1 Reply Last reply Reply Quote 1
                      • S Offline
                        SteveITS Rebel Alliance @stephenw10
                        last edited by

                        @stephenw10 said in Is a read-only installation possible?:

                        Waaaay back in the day m0n0wall used to run from a CD using floppy disk to hold the config

                        That's how we ran it. :) No drive to fail, lots of spare floppies around.

                        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                        Upvote ๐Ÿ‘ helpful posts!

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Well one might argue, looking at a stack of broken optical drives, that CDs were in fact not that reliable. And floppy disks.... ๐Ÿ˜‰

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator @stephenw10
                            last edited by johnpoz

                            @stephenw10 said in Is a read-only installation possible?:

                            And floppy disks.

                            They were horrible, just plain horrible - that we thought it was good tech is like moving from stone knives to first copper/tin-bronze swords.. Yeah they are better than a sharp rock.. But they don't compare to high carbon steel, etc.

                            They always failed when you needed them most, and while might work in your drive - took it somewhere and that drive alignment being a bit off and you couldn't read your disk.. The 3.5 were better than the old 5.25 that were so great when they came out. Especially when you could just use your hole punch and double the capacity ;)

                            What was NT 3.1 like 20 something floppies..

                            I had bunch of old floppy drives on my shelf for quite some time, a few years back I finally said.. WTF would I ever need these for and got rid of them ;)

                            If anyone has fond memories of such setups - its that nostalgic thing that happens when your remember shit that was horrible fondly ;)

                            edit: "Rosy Retrospection" was the term I was looking for ;)

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 2
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.