Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Last time I checked, pfSense was good at firewalling but bad at everything else security-wise.

> - Web panel allows root code execution on the device (every XSS is full RCE!)

Mostly, but not absolutely true, and being addressed.

> - Everything runs as root

Basically true.

> - No ASLR or other hardening flags because FreeBSD

And because SafeStack CPI is a much better solution, and our focus.

> - Lots of XSS and CSRF opportunities (probably got better with the new UI)

Work going into 2.4 to basically quash XSS / CARF.

> - Did not replace SSL certificate after Heartbleed (on packages.pfsense.org!)

I recall differently, but we were more focused on fixing pfSense and the four releases in that month.

> - No package signing, either (not sure if this is still true with pkgng)

2.3 got pkgng, and yes, we sign packages.

> - Did not even have SSL on packages.pfsense.org until one or two years ago

I finally had to take these parts over from the previous admin.

If you have more suggestions, I'm listening.



Don't load images (icons) from a public web server, put the images into the local pfSense web server. It should not be necessary to have internet access to use the pfsense web GUI on a private network.


I'm at a loss as to what you're referring to here.

The Font Awesome icons used in 2.3 and forward are located in /usr/local/www/vendor/font-awesome

we can (and do) use the GUI when there is no WAN connection

Edit: any chance you're running a browser plugin that is blocking the font-awesome fonts?

FA started adding logos and stuff to the fonts and there are 3rd party lists you can use that are more aggressive and font-awesome is in some. https://github.com/FortAwesome/Font-Awesome/wiki/Troubleshoo...


Thanks for the pointer, it looks like iOS content blockers are preventing the images from loading in mobile Safari.


Not "blockers" - the one app you installed and where you enabled web fonts blocking...


Is there a setting or CLI command that could change this default behavior, or does PHP code need to be edited?


Do you have any privacy plugins that might be blocking font-awesome files?


Can it be configured to use full Code-Pointer Integrity? That would be a nice advantage.


SafeStack first, but that's where we're headed. There is still a lot of clean-up.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: