Simply add a rule at the bottom of each screen's rule list to override it. << Here's what happens in rules.debug when I add my own custom catch-all-block to the bottom of Firewall->Rules->WAN: User-defined rules follow . . . pass in quick on $lan from 172.19.1.0/24 to any keep state  label "USER_RULE: Default LAN -> any" pass in quick on $enc0 from any to any keep state  label "USER_RULE: Permit IPSEC traffic." ===> block return-rst in quick on $wan proto tcp from any to any flags S/SA  label "USER_RULE: test return-rst block-all rule" <==== VPN Rules pass in quick on fxp1 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on fxp1 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" –-> pass in quick on fxp0 inet proto tcp from port 20 to (fxp0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" <--- enable ftp-proxy pass in quick on fxp2 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost" pass in quick on fxp2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost" IMSpector anchor "imspector" uPnPd anchor "miniupnpd" My custom catch-all block rule for the $wan interface (denoted with '===>') appears before the VPN Rules, IMSpector and uPnPd sections.  It now interferes with one of the VPN rules (denoted with '--->').  I don't know what goes in IMSpector or uPnPd, but it's likely any catch-all block rules I'd add to the User-Defined section would interfere with them, as well as any future work you do adding additional sections to rules.debug after the user-defined section. By definition, catch-all block rules like your "Default block all just to be sure" rules must appear at the end of the pf ruleset.  The WebGUI does not give you the ability to modify them, nor position these kinds of rules at the end. I'll investigate creating a patch.

@rcarr: I just think it's more correct to refer to an interface's IP addr by reference "($wan)" than by value. You might be right.  Mind submitting a patch to change this behavior?

@rcarr: How/where do I access the tcp.established timeout parm?  Is it "State Timeout in seconds" in the Advanced Options of any rule? Yep, that's the one.

hi using  traffic quota for every user, and if the traffic exceed the quota then his internet will be blocked or slow down to minimum bandwidth. hadi57

Try reinstalling from a recent snapshot iso.

It should still work this way. Make sure all clients at LAN and OPT1 use the correct gateway and have valid IP configuration.

The rules.debug is dynamically regenerated and reloaded when needed (on rulesetchanges, on bootup, on loadbalancer statuschanges, …) and therefore your changes won't stay for very long. What you try to do ist not really supported.

Well if anyone is interested how im using all of this (my setup) i got 3 x WAN and 2 x failover and 1 x load balance 1st wan = ADSL 512kbps/256kbps uncapped(very little bandiwdth supply in south africa)  = fixed cost = provided by 'Internet Solutions' 2nd wan = 802.11a/g 4mbps (at its best of times but atm its just tiny bit faster then above mentioned adsl) = 7gb then after that cost per mb = wireless Linked back to local 'Internet Solutions' branch 3rd wan = 1mbps = link to neighbouring company hosting our web servers = cost per mb = from neighboring company laser link back to local 'Internet Solutions' branch 1st failover = 1st to 2nd to 3rd 2nd failover = 2nd to 1st to 3rd balance = 1st and 2nd and 2rd now normally i have select few take 2nd failover option (faster) else everyone takes 1st failover (cheaper) never really use the balance now surelly it would be a good idea to put a schedule on all rules so that at night everyone can only go out the fixed cost adsl incase people run downloads at night and run our cost per mb bills up i havent had any problems with the failover feature  :) very nice to have

if you get the IP per DHCP you have to contact the person who's administering your DHCP. if you have it static. just configure it in the WAN tab. 248 is /29

THANKS FOR HELP ME. ALL IS OK NOW. BYE!

Update: There seems to be a problem with the FTP Helper which is currently being investigated… In the meantime I have forwarded the passive FTP-Ports manually ;-) Thanks a lot, Hoba!  :)

@redpanther: @sdale: Most likely you're problem was the firewall rule reload bug, where firewall rules were not being reloaded properly until after a reboot. Do I have to reboot everytime I make a rule? No, this was a bug only present in a special version but it has long been fixed. In fact you only have to reboot when restoring a complete config.xml. All other changes are applied on the fly.

Try this. 1. Update to a recent snapshot? ( http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ ) Still having issues, go to #2 2. System -> Advanced -> Disable Firewall Scrub, enable this option.  Work now?

Ok, that worked. I had forgotten to put the NAT rule in, just created the firewall rules myself. ;D WAN  TCP  19040  192.168.0.1 (ext.: 192.168.1.8) 19040 That made it work and added the appropriate firewall rules too. Thanks heaps for that. ;)

This works but is more than is needed. Https is always a good idea. However you don't need the NAT rule. just make the webgui listen on one non default port at system>general. Then create a rule at firewall>rules, wan: Pass, protocol tcp, source any, destination wan adress, port <webguiport>, gateway default. If you want to access your LAN clients from remote safely you should set up a VPN. There are different options. Which one is suitable for you depends mainly on your client and on the restrictions/capabilities of the remote end that you are behind.</webguiport>

Allowing AH, ESP, and UDP 42000 outbound from the LAN subnet did the trick. Thanks for the help.  :D

In general it works like this: traffic is checkod on incoming connections at an interface if the connection is allowed it will create a state to allow the reverse connection as well first rule wins (top down)