Is a read-only installation possible?

0d35

Wondering whether it's possible to set up a pre-configured read-only pfSense installation?

In this case, read-only would mean running pfSense on a hardware write-blocked drive. I'd be thinking of doing this to prevent any form of malware/exploit persistence should any get onto the system.

Would this be possible? Thanks

mer

@0d35 others may have better information, but doing so I would make sure you have enough RAM because you need some writeable space for things like logs (unless you set it up for remote logging).

Gertjan

@0d35
The short answer would be : No, you don't want to do that.

The long answer is : When looking at the config :

you should read the fine print first.

Modern storage devices (SSD) don't really wear out any more, they have a live span as long as classic hard disks ( I take in account the pfSense disk usage).

0d35

It seems like it might be possible then? I'm not fussed about logging or monitoring for now as that can be done externally. Though it looks like /var does contain some important things (such as package configurations), so a RAM disk wouldn't suffice here as the data would be lost when restarted.

My intention would be to pre-configure the packages prior to installation and then symlink the /conf directory to an external read-only network share? Blocklists could be updated from an external device to the config.

Not sure if this would all work though? The intention would be such that after every restart it would effectively be a clean install. Though obviously updating pfSense and its packages would be the tricky part.

Gertjan

@0d35 said in Is a read-only installation possible?:

/conf

Typically, the 'config.xml' is rewritten to disk rather often - like a couple of times a day, or far more, depending your settings used.
Several pfSense packages do not us the RAM drive storage at all, and do use the drive where pfSense is installed on.

Way back in the past, pfSense was installable like your average 'NetGear' or 'ISP router' like device : a minimal of non volatile memory for the config, and the rest was burned into ROM like memory.
These device still exist these days.
pfSense is a complete (no trimmed down) operating system ( FreeBSD ) and needs a disk like device, and RAM.
Again, it might be possible, but why bother ?
A small 'good brand' SSD, 100 Gbytes M2 is access expensive as like 30 $/€. That's as expensive as a 'good known brand' USB drive that will die on you much faster. Both are very low power. The SSD is way much faster, and just a little bigger in physical size.
pfSense is all about flexibility and boatloads of options.
Which means : a lot of updates, because a lot of code = a lot of bugs = a lot of updates.
So you want a 'a simple as possible' method to maintain the system.
So that's where it went : the devices became more classic == less expensive.

mer

@0d35 said in Is a read-only installation possible?:

I'd be thinking of doing this to prevent any form of malware/exploit persistence should any get onto the system.

This is the stated reason for OP asking this question.
I think there needs to be a corallary question asked:
How likely is an exploit against pfSense likely? Persistent or not?

johnpoz

@mer said in Is a read-only installation possible?:

How likely is an exploit against pfSense likely? Persistent or not?

Not very if you think about it.. Pfsense is not some user pc who is haphazardly clicking anything shiny that presents it self, downloading who knows what from were and executing it as an admin account ;)

So for such a thing to happen there would have to be some sort of RCE against some service running on pfsense that is listening for connections. So such services would be like sure the web gui, ssh - these should be normally limited access to only trusted admin devices. Other services like dns, ntp, etc. Which would be open to a wider audience, but still should be only your local trusted network. If your local network has been compromised to a point there is code running on it looking for RCE of other services on your network - you prob have bigger fish to fry..

Now not saying such a thing isn't possible - but I have never heard of such an exploit to pfsense in the past. It would be a very serious nature that is for sure. And wouldn't be something you wouldn't hear about ;)

I have to believe there are much lower hanging fruit to worry about in your overall security stance vs trying to setup some read only filesystem for your firewall, on the off chance it somehow got exploited..

Could prob write a book of stuff to do to increase your security before would get to - hey can we make pfsense filesystem read only ;)

0d35

I am admittedly taking a defence in depth approach to the situation, but very true points :)

I've set up rules such that any client device not in the management VLAN is unable to access any service running on pfSense so no exposure to network services on that front (I've also tried to prevent VLAN hopping).

An unlikely possibility could be that when updating blocklists, the blocklist source becomes compromised and redirects to a malicious download which consequently gets downloaded to the pfSense installation. Not sure how those files would be executed though, but the fact is nonetheless that there is a file on the system which you don't want :)

stephenw10

Waaaay back in the day m0n0wall used to run from a CD using floppy disk to hold the config. I think that was my first experience using it. More recently the NanoBSD images we used for pfSense ran read-only with a separate config partition.
But, no, in current pfSense it's not practical to run entirely read-only. In my opinion at least.

Steve

SteveITS

@stephenw10 said in Is a read-only installation possible?:

Waaaay back in the day m0n0wall used to run from a CD using floppy disk to hold the config

That's how we ran it. :) No drive to fail, lots of spare floppies around.

stephenw10

Well one might argue, looking at a stack of broken optical drives, that CDs were in fact not that reliable. And floppy disks....

johnpoz

@stephenw10 said in Is a read-only installation possible?:

And floppy disks.

They were horrible, just plain horrible - that we thought it was good tech is like moving from stone knives to first copper/tin-bronze swords.. Yeah they are better than a sharp rock.. But they don't compare to high carbon steel, etc.

They always failed when you needed them most, and while might work in your drive - took it somewhere and that drive alignment being a bit off and you couldn't read your disk.. The 3.5 were better than the old 5.25 that were so great when they came out. Especially when you could just use your hole punch and double the capacity ;)

What was NT 3.1 like 20 something floppies..

I had bunch of old floppy drives on my shelf for quite some time, a few years back I finally said.. WTF would I ever need these for and got rid of them ;)

If anyone has fond memories of such setups - its that nostalgic thing that happens when your remember shit that was horrible fondly ;)

edit: "Rosy Retrospection" was the term I was looking for ;)