Is a default block rule for Lan necessary? (newbie question)
-
I have set up PFsense and it seems to be running very well… plus I have learned a tonne about FreeBSD and networking (NAT in particular) in the process.
I have the LAN running NAT with 192.168.x.x I assume by the very nature of the way NAT works that if I do not have any forwarding rules into my LAN, then no default inbound block rule is required. Presently I only have a rule to allow traffic out of the LAN.
Thanks for your help. I just want to make sure everything is secure!
TIA
-
There is an "invisible" rule at every interface that blocks any traffic at the bottom of your rules. This means anything not explicitly allowed will be dropped. To add a drop all rule at the bottom of your firewallrules is therefore not needed as it is generated by the system by default.
-
There is an "invisible" rule at every interface that blocks any traffic at the bottom of your rules. This means anything not explicitly allowed will be dropped. To add a drop all rule at the bottom of your firewallrules is therefore not needed as it is generated by the system by default.
I suspected so as that was what my tests revealed, but wanted to make 100% sure. Thanks!
-
There's a note about this behaviour if no rules are present at all on an interface.
-
There's a note about this behaviour if no rules are present at all on an interface.
Can you tell me where? I have read the entire m0n0wall docs and tried to read most of the stuff on the pfsense sites. I just want to know in case I missed it in something I haven't read or if there is another resource that I don't know about.
-
In the webgui: Firewall>rules at the very bottom:
Hint:
Rules are evaluated on a first-match basis (i.e. the action of the first rule to match a packet will be executed). This means that if you use block rules, you'll have to pay attention to the rule order. Everything that isn't explicitly passed is blocked by default. -
Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule.
Martin
-
Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule.
Martin
Block incoming on LAN to 127.0.0.1. That will kill it.