Run PfSense from write-protected USB pendrive



  • Dears,

    Is any possibility to install and run PfSense from write-protected USB pendrive?
    Maybe is a chance to move temporary files to unprotected area ( ordinary HDD )

    Then set the pfSense automatically resets at midnight, starting from a secured USB
    This would allow for a significant increase in security in the event of the hacker attack

    The system would be "flushed" from malicious software or configuration changes…

    What do you think of this functionality?

    friendly regards...
    Dziabaq



  • Doable but why not just use the live CD with a write protected pendrive for your config (other than you need a CD drive also)?



  • Hi,

    This make sense, but CD is slow and exposed to dirt and mechanical failures.
    USB is much, much, faster and there is no mechanical part's inside.

    Second question is, how to set automatic reboot at midnight?



  • You can do it with a USB thumbdrive (I'm assuming there is a hardware switch on the USB drive to write-protect it).

    First, you need to install the Cron package (easier to do this with GUI).

    Next use the Crontab to set a job at midnight?, daily, to run a shutdown with restart command for the reboot.
    Command will be:  shutdown -r now

    Go to diagnostics -> NanoBSD.  Disable all Backup jobs (if any) so pfSense doesn't try to write to disk.

    After you are done with all that, re-enable the Write protect.

    To be honest, this is probably not required at all.  What you should focus on is to secure your hosted services, enforce good passwords policies, and keep your clients/ servers actively protected with anti-malware software suites.
    Further, don't expose the WebGUI/ Telnet/ SSH for the pfSense box to the internet.
    In all likelihood, it will be your hosted services (servers and such) that get compromised rather than the pfSense box itself.  You can setup SNORT to further protect such hosts.