I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner.
The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold