Chris Buechler wrote:
Sanjay Arora wrote:
Hi all
Just joined the list. Am mostly using IPcop & other Linux flavours for
perimeter firewalling. Needed ISP WAN-link balancing & failover, hence
my search for a new option. Also have started experimenting with
freebsd, so choice was limited to either freebsd or linux.
Have downloaded the iso...will install on a Pentium III 550 MHz and
revert with feedback within the week.
My thought is that any perimeter firewall should be a minimal design.
Would not having php on pfsence make it vulnerable to php
vulnerabilities, as well as those of apache. Haven't exactly tried it,
so really haven't the right to comment on it but would the community
please comment on this and other similar issues inherent in this
architecture design?
This part of the architecture has changed slightly from m0n0wall I
believe, so if I go astray here, somebody kick me back into shape. ;)
Basically, you can't get to PHP without first being authenticated. At
this point, if you're authenticated, you have root access to the box.
So who cares about any PHP vulnerabilities when you already have root
access? And, as others said, most PHP problems are from sloppy PHP
code, not issues within PHP itself. Besides, the ability to even
attempt to login is restricted to LAN only by default, and if you're
in a situation where you have to worry about what your internal users
can attempt on the firewall, you can and should restrict that
further. It's not like PHP is doing the actual firewalling.
As an addition to this:
If somebody doesn't like PHP on his firewall, he can just go back,
install OpenBSD 3.8 and use vi to edit the rulesets and all the other
configuration-options (VLANs, NAT, VPN etc. pp.).
Until there's a multi-user, multi-customer capable interface that allows
several virtual firewalls to be administered by different
clients/customers, I'm not going to worry about "PHP-security" one
single second.
Firewalls, which are managed by a fat-client GUI also had their share of
vulnerabilties precisely because the communication between the GUI and
the firewall was badly designed or implemented.
cheers,
Rainer
