Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is my current firewall config insecure?

    Firewalling
    2
    4
    356
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hypernova
      last edited by

      Hi,

      Under Firewall/Rules/WAN I have the following config:

      IPv4, source=* port=, destination=LAN net, port=

      Is this a dangerous/insecure configuration?

      If I understand correctly this means pfSense will forward any traffic received on interface WAN destined for my LAN network, with any destination port.

      Does this open my network to external attacks?

      Previously I have configured a Debian machine as a router. I am no expert, but I remember having some setting which only permitted established connections to pass? (aka: connections initiated by computers on my LAN network.)

      By the way outgoing traffic on WAN is set to NAT.

      1 Reply Last reply Reply Quote 0
      • N
        nagachampa
        last edited by

        yep, your intuition is accurate - this would not be an ideal configuration. by default no rules on the wan interface pfsense will block all incoming traffic. this is pretty secure. i usually put a drop all anyway on the way - makes me feel better.

        1 Reply Last reply Reply Quote 0
        • H
          hypernova
          last edited by

          Ok, thanks for the info! I've fixed it. Don't remember why those rules were there. I may have put them by accident.

          Presumably pfSense automatically tracks states, such that outgoing connections can accept a reply from the outside world.

          (Well, it must do, or it wouldn't work, right?)

          N 1 Reply Last reply Reply Quote 0
          • N
            nagachampa @hypernova
            last edited by

            @hypernova said in Is my current firewall config insecure?:

            automatically tracks states, such tha

            yep... its statefull - so it will allow reply traffic without specific allow on the wan side. your safe now. ;)👍

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.