When should I block inbound?



  • I’ve just recently installed pfSense and pfblockerng and this is all a little outside my expertise.

    Most of the guides I’ve read have recommended using “deny both”, but with the default blocking of all inbound traffic I can see that “deny outbound” would probably make more sense.

    When and why would I ever need to deny inbound traffic? I’m sure there is a reason why this option was included.


  • Moderator

    You only need to add rules to the Inbound, if you have any open WAN ports that you would like to filter on.



  • You only need to add rules to the Inbound, if you have any open WAN ports that you would like to filter on.

    To add to this, I think most guides say to use Deny Both because while you may start out with the default case of all unsolicited inbound WAN traffic being blocked, as soon as a single port is open for service, the game is afoot.  So, if you start out with Deny Both, then at least you're covered if something changes on the WAN and you forget to change your pfB protection.

    Personally, I use Floating for my pfB lists and have them attached to both WAN\LAN…


  • Moderator

    @cyberzeus:

    You only need to add rules to the Inbound, if you have any open WAN ports that you would like to filter on.

    To add to this, I think most guides say to use Deny Both because while you may start out with the default case of all unsolicited inbound WAN traffic being blocked, as soon as a single port is open for service, the game is afoot.  So, if you start out with Deny Both, then at least you're covered if something changes on the WAN and you forget to change your pfB protection.

    Personally, I use Floating for my pfB lists and have them attached to both WAN\LAN…

    Keep in mind that adding rules to the WAN when there is no open Ports is wasting processing power of the box and flowing down queries as each inbound packet will go thru each table unnecessarily..  Your also going to fill the widget and logs with noise and miss out on the real events that were being blocked which should be investigated….


Log in to reply