Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default Deny behavior

    Firewalling
    2
    2
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erisan500
      last edited by

      Hi all,

      I've just setup pfSense 2.0.3 on an ESXi 5.1 box. On ESXi I created vlans for LAN (10), WAN (100), DMZ (20).
      I have a host in the LAN and DMZ.

      While testing I discovered that I can ping the host in the DMZ although I didn't created any rules on the DMZ yet.
      Is this expected behavior?

      At http://doc.pfsense.org/index.php/Firewall_Rule_Basics I found: Firewall rules are processed from the top down, and the first match wins. The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.

      Greetings,
      Eric

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        LAN gets an allow all rule by default - so you can originate a ping from LAN to anywhere. That establishes a state, and the ICMP response from DMZ will come back to you.
        That text needs a little extra:

        The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed. The "factory defaults" and wizard add an allow all firewall rule on LAN.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.