The defaults are permissive on purpose — so installation works out of the box. Harden these ten settings within the first hour and you'll shut down 90% of common attack paths before your first production rule is written.
Fresh pfSense installs ship with a well-known default password (pfsense). Until you change it, anyone who can reach the WebGUI (LAN or accidentally-exposed WAN) has full root-equivalent access to your firewall.
adminAutomated bots scan for pfSense default credentials within minutes of any IP exposure. A compromised firewall is game over — attacker controls all traffic, can tunnel inbound, disable logging.
The default installer uses plain HTTP on port 80 — credentials fly across the wire in clear text. Switch to HTTPS and move the admin interface off well-known ports to stop casual port scans.
Anyone on the LAN segment can sniff plain HTTP with Wireshark. Port 443 is probed by every bot on the internet within seconds of IP exposure — shifting to a custom port (e.g. 8443) stops 99% of drive-by scans.
By default the WebGUI answers on all LAN interfaces. Create an explicit firewall rule that only allows admin-source subnets (office LAN, admin VLAN, VPN pool) to reach the management port.
A compromised guest-WiFi device, rogue IoT sensor or infected printer should never be able to talk to the firewall's admin interface — even if they know the password.
ADMIN_NETS = your admin LAN + VPN poolADMIN_NETS → This Firewall : TCP/8443any → This Firewall : TCP/8443| # | Proto | Source | Dest | Port | Action | Description |
|---|---|---|---|---|---|---|
| 1 | TCP | ADMIN_NETS | This Firewall | 8443 | ✓ Pass | Admin WebGUI from admin nets |
| 2 | TCP | any | This Firewall | 8443 | ✕ Block | Block WebGUI from everywhere else |
| 3 | TCP | ADMIN_NETS | This Firewall | 22 | ✓ Pass | SSH from admin nets |
| 4 | TCP | any | This Firewall | 22 | ✕ Block | Block SSH from everywhere else |
| 5 | * | LAN net | any | * | ✓ Pass | Default allow LAN to any |
pfSense creates an automatic anti-lockout rule so a bad custom rule can never block you out of the WebGUI. Keep it — but scope it to a dedicated lockout subnet so it can't be abused.
The default anti-lockout rule allows the entire LAN to access WebGUI/SSH — which contradicts Step 3. Either create a dedicated admin VLAN, or disable anti-lockout after Step 3 is verified working.
Every log line, every certificate, every VPN handshake depends on accurate time. Set your time zone to Asia/Kolkata and pull from trusted NTP pools.
Wrong time = expired certificate errors, OTP 2FA fails, Let's Encrypt renewals fail, forensic logs become useless for incident response.
time.nist.govin.pool.ntp.orgDon't let your ISP log or hijack your DNS lookups. pfSense's built-in Unbound resolver supports DNS-over-TLS to public resolvers like Cloudflare 1.1.1.1 and Quad9.
ISPs in India routinely log DNS queries. Unencrypted DNS allows anyone on path to see every site your users visit, and can be man-in-the-middle'd to redirect users to phishing sites.
1.1.1.1@853, 9.9.9.9@853SSH is off by default — if you enable it for troubleshooting, never allow password login. Use ed25519 keys from each admin workstation.
SSH with password auth is the #1 brute-force target on the internet. Key-only SSH is mathematically unguessable — attackers give up within seconds.
System › User Manager › admin ▸ KeysEven if your admin password leaks, 2FA stops the attacker. pfSense Plus supports TOTP (Google Authenticator, Authy, 1Password) natively.
Password reuse from breached SaaS sites is the #1 credential-stuffing vector. 2FA neutralises it — attacker with your password still needs a rolling code from your phone.
Suricata is pfSense's inline intrusion-detection and prevention engine. Install from the package manager, assign it to WAN, enable blocking mode, and pick the Emerging Threats Open ruleset.
Firewall rules stop traffic at the packet-header level (IP + port). Suricata inspects content — it catches CVE exploits, malware C2 beacons, reconnaissance scans that pass ordinary firewall rules.
| Category | Rules | Last Updated | |
|---|---|---|---|
| ET Open / botcc.rules | 6,241 | 19-Apr 03:00 IST | |
| ET Open / emerging-exploit.rules | 4,188 | 19-Apr 03:00 IST | |
| ET Open / emerging-trojan.rules | 18,904 | 19-Apr 03:00 IST | |
| ET Open / emerging-malware.rules | 22,771 | 19-Apr 03:00 IST | |
| ET Open / emerging-scan.rules | 1,402 | 19-Apr 03:00 IST | |
| Snort VRT / browser-chrome.rules | 388 | — |
pfSense Plus includes AutoConfigBackup — every config change is encrypted and uploaded to Netgate's cloud. Restore to a new appliance in minutes if hardware fails.
Hardware fails. Lightning strikes. New admins push a bad rule. ACB gives you 60 days of snapshots — restore a working config in under 3 minutes without losing sleep.
| Date | Description | User | Size | |
|---|---|---|---|---|
| 19-Apr 18:04 | Suricata ruleset enabled | admin | 28.4 KB | |
| 19-Apr 17:32 | SSH key-only auth | admin | 27.9 KB | |
| 19-Apr 17:10 | Admin rules added | admin | 27.1 KB |
We do all 10 of these hardening steps (plus 40 more) during every Khoji installation. Handover includes full documentation, backup passphrase, and admin training.