Restrict pfSense CE management interfaces; assume no patch is coming

For pfSense Community Edition deployments at the perimeter of cantonal, municipal, healthcare, education or SME networks: place the web GUI and SSH on a management VLAN reachable only from authorised admin workstations; block /xmlrpc.php at the network level if the XMLRPC API is not actively used by automation; rotate any admin password that ever traversed a management interface exposed beyond the management VLAN; audit system.xml for unexplained post_reboot_commands entries. Plan migration to pfSense+ (commercial), OPNsense, or an alternative supported firewall platform for any deployment that cannot be locked down. Treat Netgate's "expected behaviour for administrators" position as a permanent posture, not a temporary delay.