Bootloader password

  • Hello,

    I'm eveluating pfsense (I have no experinces with FreeBSD).

    Is there possibility to protect bootloader with password as in grub/lilo?

    thanks for answer

  • Rebel Alliance Developer Netgate

    Not normally, no. You could install GRUB if you want, but I'm not sure if that is known to work these days.

    A BIOS password may be better and should be handled universally.

    To be honest though most people don't want a boot password on a firewall since it needs to be up as long as possible. If there is a boot password then if you have any kind of outage that causes a reboot it will sit and wait for manual intervention.

  • I don't mean password at boot time.
    I mean only lock own bootloader. So no one can change settings, boot to single and so on without password - same way as in GRUB, but the box boot normally.

    If I lock BIOS, still I can boot to single from bootloader.

    Is there an other solution than install grub?

  • Rebel Alliance Developer Netgate

    In that instance, then I'm not sure. I don't think there is a way to protect that, but there may be a way to shut it off. I can't recommend that though, as there may be instances where that is necessary, and it may still be possible to break into a prompt when it's loading the kernel.

  • If someone has physical access to your machine in that way, password protecting the bootloader is pointless, you're already owned.

  • Haven't test it, but it seems that you can add something like
    to loader.conf

  • Rebel Alliance Developer Netgate


    Haven't test it, but it seems that you can add something like
    to loader.conf

    That reads more like a boot password that wouldn't boot the rest of the way until the password was entered, not one to protect the settings. But it might be worth a shot.

    submicron is right though, if someone has physical access to the console it's already too late.

  • I fully agree.

    I only want to avoid some "experimenters" that can try to get in. I can lock console, but there is still possibility to power up/down, reset password and so on.
    The box will not be placed in restricted area and there is a more or less possibility to come and disconnect it. It sucks then but OK. I don't want someone to get in easily and silently mash up our config.

  • Rebel Alliance Developer Netgate

    They could still boot from a CD and get to the config or reset the GUI password from there, if they know what they are doing.

    Let me phrase it differently: If they know enough to boot into single user mode and reset the password, it's too late. If you just want to keep the casual accidental or curious person out, locking the console may be sufficient.

  • There will be no way to boot CD …. no CD drive .... or usb boot option ... all locked in BIOS.
    Only way is to get the HDD out ... and then noticeable downtime of the box.

    But you are right.

    I will think about grub for some time, but probably leave it in this way.

Log in to reply