Is a default block rule for Lan necessary? (newbie question)

doc_holiday · Feb 6, 2007, 12:54 PM

I have set up PFsense and it seems to be running very well… plus I have learned a tonne about FreeBSD and networking (NAT in particular) in the process.

I have the LAN running NAT with 192.168.x.x I assume by the very nature of the way NAT works that if I do not have any forwarding rules into my LAN, then no default inbound block rule is required. Presently I only have a rule to allow traffic out of the LAN.

Thanks for your help. I just want to make sure everything is secure!

TIA

hoba · Feb 6, 2007, 4:50 PM

There is an "invisible" rule at every interface that blocks any traffic at the bottom of your rules. This means anything not explicitly allowed will be dropped. To add a drop all rule at the bottom of your firewallrules is therefore not needed as it is generated by the system by default.

doc_holiday · Feb 7, 2007, 8:31 AM

@hoba:

There is an "invisible" rule at every interface that blocks any traffic at the bottom of your rules. This means anything not explicitly allowed will be dropped. To add a drop all rule at the bottom of your firewallrules is therefore not needed as it is generated by the system by default.

I suspected so as that was what my tests revealed, but wanted to make 100% sure. Thanks!

hoba · Feb 7, 2007, 9:07 AM

There's a note about this behaviour if no rules are present at all on an interface.

doc_holiday · Feb 7, 2007, 1:50 PM

@hoba:

There's a note about this behaviour if no rules are present at all on an interface.

Can you tell me where? I have read the entire m0n0wall docs and tried to read most of the stuff on the pfsense sites. I just want to know in case I missed it in something I haven't read or if there is another resource that I don't know about.

hoba · Feb 7, 2007, 2:01 PM

In the webgui: Firewall>rules at the very bottom:

Hint:
Rules are evaluated on a first-match basis (i.e. the action of the first rule to match a packet will be executed). This means that if you use block rules, you'll have to pay attention to the rule order. Everything that isn't explicitly passed is blocked by default.

Rockyboa · Feb 7, 2007, 3:10 PM

Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule.

Martin

sullrich · Feb 7, 2007, 3:31 PM

@Rockyboa:

Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule.

Martin

Block incoming on LAN to 127.0.0.1. That will kill it.