pfSense Security? What is being done?

deanfourie

So I'm just curious as to pfSense and Security.

I am not a paid user so I don't expect updates every week, but that being said I haven't had a single update now for about a year.

So I'm just curious as to how pfSense maintain a secure platform if updates are not being pushed on a regular/semi regular basis.

Thanks!

chpalmer

@deanfourie

2.6 was released about Mon Jan 31 19:57:53 UTC 2022 just over 8 months ago with 2.7 in the works.

Any time an dangerous exploit that would affect any part of pfSense is found which has been fairly rare compared to some other products.. the team makes the required updates. If they didn't there would be people here calling them out constantly.

Your security is up to you though.. There are things you could potentially do to any product that could make it unsafe. Your best coarse is to stay updated and keep learning.

Ive been using pfSense since 0.7 and have never had a single compromise on any of my systems. That doesn't come though with me just sitting by and not keeping watch.

AndyRH

Good question.
Patching is done to fix problems. Because FreeBSD is reasonably secure (it is not Mac OS or Windows) and features not needed by pfSense have been removed, there are fewer patches needed because there are fewer things to patch. Most high-end FWs are patched less often than pfSense.
Patch frequency is a sign of security, the less you need, the more secure.

Gertjan

@andyrh said in pfSense Security? What is being done?:

Because FreeBSD is reasonably secure

Exactly.
And things are even better : Netgate, who makes pfSense (and TNSR) is also an active player in the FreeBSD development.
And not like : "here is a patch for the up stream" ones in a while, no, they are actually part of the FreeBSD dev team.

To keep pfSense safe (edit : safer) : easy : activate as less gadgets and options as possible.

Like Wietsma, author of Postfix, explained ones perfectly well what happens when you activate more and more stuff.
The thing was : we all 'want' TLS these days. Most of the internet does not even function without it.
And OpenSSL is huge and utterly complex.

Jarhead

This is a result of apps on our phones.
I never understood why people want constant updates and some even refuse to use apps that aren't updated constantly.
I always ask "What part of the app isn't working right?"
And they usually reply with "none".
But still they want updates.
If it ain't broke, don't fix it.

deanfourie

@jarhead very interesting way of thinking.

nimrod

@jarhead said in pfSense Security? What is being done?:

This is a result of apps on our phones.
I never understood why people want constant updates and some even refuse to use apps that aren't updated constantly.
I always ask "What part of the app isn't working right?"
And they usually reply with "none".
But still they want updates.
If it ain't broke, don't fix it.

This is absolutely true. I know whole bunch of people that think like that. I think its the mental thing more than anything else. In their heads, if there are no frequent updates, product is discontinued and no longer secure. Its a broken logic that affects many people.

deanfourie

My reasoning is behind the ever increasing attacks now aimed at Linux machines.

So, maybe I just dont understand how FreeBSD works? Is it a full Linux sub-system?

stephenw10

FreeBSD is not Linux at all:
https://docs.freebsd.org/en/articles/explaining-bsd/

In addition pfSense is very cut-down version of FreeBSD. Many of the vulnerabilities that are discovered in FreeBSD do not apply to pfSense because of that.

Steve

johnpoz

@deanfourie said in pfSense Security? What is being done?:

now aimed at Linux machines.

Freebsd is not linux, nor is it a sub system of linux. It is based on BSD, not linux.

Here is a family tree if you will

At best you could call them distant cousins - if you go far enough back in the family tree they had common ancestor.

Keep in mind that attacks normally attack services running on an OS. A firewall runs very few services, especially those exposed to the internet. A firewall is not a desktop, foreign code is never or rarely executed on the device by a user. It doesn't actually interact with even sites that host services that could inject bad code like a user device could.

So the patching and updates that relate to security issues when something that could be exploited is going to be way different than a end user device, or even a server hosting software that that is interacted with that could be exploited related so some issue in the code providing that service.

So while yes you should keep your pfsense updated, it sure doesn't need to be updated every week, etc. If an issue is discovered that is of concern, be it found in the upstream freebsd code base, or a package that is being used by pfsense then they would release an update to correct.

nimrod

I use FreeBSD as a daily driver on one of my machines and im falling in love with it.

Its so robust and unbreakable. Native ZFS support is just a cherry on top of all that. And yes. It has nothing to to with broken and bloated Linux kernel. Not only its not Linux based, you actually need to emulate Linux with projects like Linuxlator to be able to run Linux applications. Not that i recommend it, just want to point out how different it is compared to billions of Linux distros out there.