Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Some basic advise

    Firewalling
    3
    4
    665
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gotty101
      last edited by

      Hello hopefully i wont get flamed, but ive tried to look at other posts and i would like to ask a basic question.

      When PF sense is installed it sets up a basic rule for the lan. From what ive read the rules control inbound traffic (https://doc.pfsense.org/index.php/Firewall_Rule_Basics)
      So the default rule that is setup appears the allow anything. Is this a security issue ie could someone via the wan get to my lan interface.
      Or am i missing the point, and the fact that the same default rule isnt setup on the WAN means the firewall will do its work?

      The reason im asking this is i setup the same default rule on an interface that i have plugged my CCTV NVR into, and i was able to see my cctv cameras on my phone via 4g with the wifi off so i hit via the wan interface. What i was confused about was how did this occur when i hadn't setup any port forwarding yet?

      Im sorry for the basic questions, i would like to get some initial understanding before i mess about too much.

      Trev

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Rules on an interface allow traffic INTO that interface. That means connections originating INTO that interface.

        Connections INTO your firewall from the outside will come INTO the WAN interface. By default, there are no rules on the WAN interface and nothing is passed.

        If a user on your LAN interface opens a web browser and opens a web page, that connection will start on the LAN interface. By default, that traffic is passed by the default rules on the LAN interface.  If you want to change that, you certainly can.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Keep in mind that rules are evaluated in specific order, on your lan or opt interfaces you create as traffic enters into the interface from that network.

          Top down, first rule to trigger wins, no other rules are evaluated.

          Floating rules can act a bit different, or could be set as quick and floating is looked at before lan and opt, etc.  You need to look at https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

          But in general wan, lan and any opt/vlans you create top down, first to trigger wins stop looking at rules.  If there are no rules on an interface then traffic will be denied by the default deny rule..

          Pfsense does some stuff in the background to keep it simple, like if you enable dhcp server then rules are put in to allow for that to happen.  Just not shown on the gui, etc.

          Out the box unsolicited from the WAN into pfsense would be blocked - period.  Anything on your lan would be able to do whatever it wants outbound.. Because of the default any any rule that is placed on the lan interface.

          Now keep in mind from the lan you could hit the wan IP.. So you might think for example that pfsense wan is open.. No its not - you came from the LAN, the rules on lan said you could go any any.. So sure you can hit the pfsense wan IP on any port listening.. But if you were coming from the WAN side you would be blocked..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • G
            gotty101
            last edited by

            Thanks for your help guys. I'm just looking at your example lan and Wi-Fi set up and its given me a good idea. Its a bit of a step up when you've only used the basic home routers.

            Trev

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.