Id say this is partially right, any misconfigured firewall can be insecure and allow the php interface to be available, there is currently no way to turn off/on the web process for administration either. and currently you cant bind the process to listen on a specific interface. So a default add rule allowing http/https in from wan might expose you. pfSense is currently a default stance from what I can see. but it is functional. Youd imagine by default it should be locked down a bit more. its still a project that deserves merit, and its also why i build my own version. Ive additional tweaks, not found in pfSense, though it is a solid base to start from. Somethings in their simpler form need to be tightened up, its alpha code so theres noway to tell what the plans are for the future. make some suggestions to the list, see what happens. Im sure there are a few "tweaks" that can be applied to lock down the system a bit better. the web server is thttpd, but i see lighttpd also in the cvs tree so they might be migrating to it.
On Mon, 2005-11-28 at 13:30 +0500, sai wrote: > While PHP does have some problems, it is mostly PHP software that is > poorly written and so vulnerable. The PHP interface is not available > to everyone (only admins) so even if PHP is vulnerable you have to get > to it first. > The webserver is not Apache but something much smaller...forget the name. > > If you didnt have an easy to use web interface, but had a cli, the > security problems associated with mistakes made in configuration etc > would be quite major. > > sai > > On 11/27/05, Sanjay Arora <[EMAIL PROTECTED]> wrote: > > Hi all > > > > Just joined the list. Am mostly using IPcop & other Linux flavours for > > perimeter firewalling. Needed ISP WAN-link balancing & failover, hence > > my search for a new option. Also have started experimenting with > > freebsd, so choice was limited to either freebsd or linux. > > > > Have downloaded the iso...will install on a Pentium III 550 MHz and > > revert with feedback within the week. > > > > My thought is that any perimeter firewall should be a minimal design. > > Would not having php on pfsence make it vulnerable to php > > vulnerabilities, as well as those of apache. Haven't exactly tried it, > > so really haven't the right to comment on it but would the community > > please comment on this and other similar issues inherent in this > > architecture design? > > > > With best regards & best wishes for the project. > > Sanjay. > > > > > >
