Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bootloader password

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bman
      last edited by

      Hello,

      I'm eveluating pfsense (I have no experinces with FreeBSD).

      Is there possibility to protect bootloader with password as in grub/lilo?

      thanks for answer

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Not normally, no. You could install GRUB if you want, but I'm not sure if that is known to work these days.

        A BIOS password may be better and should be handled universally.

        To be honest though most people don't want a boot password on a firewall since it needs to be up as long as possible. If there is a boot password then if you have any kind of outage that causes a reboot it will sit and wait for manual intervention.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bman
          last edited by

          I don't mean password at boot time.
          I mean only lock own bootloader. So no one can change settings, boot to single and so on without password - same way as in GRUB, but the box boot normally.

          If I lock BIOS, still I can boot to single from bootloader.

          Is there an other solution than install grub?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            In that instance, then I'm not sure. I don't think there is a way to protect that, but there may be a way to shut it off. I can't recommend that though, as there may be instances where that is necessary, and it may still be possible to break into a prompt when it's loading the kernel.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              If someone has physical access to your machine in that way, password protecting the bootloader is pointless, you're already owned.

              1 Reply Last reply Reply Quote 0
              • P
                Perry
                last edited by

                Haven't test it, but it seems that you can add something like
                password="test"
                to loader.conf
                http://www.freebsd.org/cgi/man.cgi?query=loader.conf&sektion=5

                /Perry
                doc.pfsense.org

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  @Perry:

                  Haven't test it, but it seems that you can add something like
                  password="test"
                  to loader.conf
                  http://www.freebsd.org/cgi/man.cgi?query=loader.conf&sektion=5

                  That reads more like a boot password that wouldn't boot the rest of the way until the password was entered, not one to protect the settings. But it might be worth a shot.

                  submicron is right though, if someone has physical access to the console it's already too late.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • B
                    bman
                    last edited by

                    I fully agree.

                    I only want to avoid some "experimenters" that can try to get in. I can lock console, but there is still possibility to power up/down, reset password and so on.
                    The box will not be placed in restricted area and there is a more or less possibility to come and disconnect it. It sucks then but OK. I don't want someone to get in easily and silently mash up our config.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      They could still boot from a CD and get to the config or reset the GUI password from there, if they know what they are doing.

                      Let me phrase it differently: If they know enough to boot into single user mode and reset the password, it's too late. If you just want to keep the casual accidental or curious person out, locking the console may be sufficient.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • B
                        bman
                        last edited by

                        There will be no way to boot CD โ€ฆ. no CD drive .... or usb boot option ... all locked in BIOS.
                        Only way is to get the HDD out ... and then noticeable downtime of the box.

                        But you are right.

                        I will think about grub for some time, but probably leave it in this way.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.