Nice FW, but some suggestions for future releases..



  • Hi.

    I've tried the Pfsense this week for the first time and like it a lot.
    Very clean and easy management interface.

    But…
    I'm an old user of OpenBSD PF and FreeBSD and set up many rules in my years.

    What I'm missing is an advanced choice that not configure any default and automatic rules.
    I want to set up all my rules and NAT by my self for all interfaces.

    I hope this could be a feature in future. An advanced pf config checkbox.

    I'm a fan of the deny all inbound and outbound and then configure exact what to allow, and not to use the default allow all outbound for all interfaces.

    One thing more about the default rules is that it would be better also if those rules were listed in the rules list so you see those default rules in the web interface and not only in console pfctl or the file rules.debug for those people not so familiar with Linux/BSD.

    It also would be very nice if the project could add the function to use aliases in NAT rules(for example port aliases), seems that you can only specify a specific port or range!?

    It would also be nice to be able to specify both ICMP types and Codes in the ICMP rule section.

    Those are only some features I'm missing right now when I tested the firewall and that I hope can be implemented in feature releases.

    Keep up with the good work  :)



  • @miikaaa:

    What I'm missing is an advanced choice that not configure any default and automatic rules.
    I want to set up all my rules and NAT by my self for all interfaces.

    You can.  Delete the default rule on LAN, enable Advanced Outbound NAT. The only exception would be PPTP and IPsec auto added rules, which will be optional in 2.0. You can remove two lines in filter.inc to remove those.

    @miikaaa:

    I'm a fan of the deny all inbound and outbound and then configure exact what to allow, and not to use the default allow all outbound for all interfaces.

    You and me both, but people would scream like mad if we went with anything other than the current default.


Log in to reply