CARP and user privilege



  • Hello, all!

    I am in the middle of my first CARP setup.  The one thing that I noticed was Remote System Username, if you want to sync configuration settings.

    Security is a biggie in my company, and exposing a(nother) user that seems to require admin privileges doesn't seem very secure.

    Does anyone know the minimum privileges required for the user that can sync configuration between pfsense installation?

    Thanks ahead for your assistance.



  • Hi!

    If you use a distinct interface for FW sync as it's suggested there will be no security issue with a user who have admin privileges.

    Furthermore if you have your WebConfigurator set to use HTTPS protocol the sync communication is also encrypted.



  • Thank you for your reply.

    I am still not sure of the statement about having the distinctive interface - is there a way to bind a user to login only through specific interfaces, that I am unaware of?  As far as I see, a configured user can login through any allowed interface.

    HTTPS is good for encrypting the traffic, but exposing the system to yet another full admin user is what I need to secure.

    If a configured user can login through any interface, it would be nice to know what minimum privileges are needed for the CARP user.

    Thanks ahead of time for your replies.


Log in to reply