Block outgoing traffic from pfSense

  • Hello, I'm trying to configure a firewall rule for blocking traffic originated from the firewall itself (like an OUTPUT rule in Linux iptables). I have created a floating rule with source as This firewall (self) and direction Out to the WAN interface, but it's also matching NAT traffic from LAN to WAN.
    How can I create a rule that matches only the traffic originated by the pfSense box itself?
    I've found a similar issue on this topic:

  • LAYER 8 Global Moderator

    Why would you want/need to block such traffic?  The only traffic the firewall would generate outbound from itself would be like dns query its doing for your clients, itself.  Checking on package updates, updates to pfsense, etc.

    Is there some specific traffic pfsense is generating that you do not like?  Might be better to just disable whatever that is vs blocking it at the firewall level.

  • @Felipe:

    How can I create a rule that matches only the traffic originated by the pfSense box itself?

    Not sure if that's a good idea and if its possible. To the outside world all the traffic looks like its coming from pfSense "The source". So if you block that you may have issues accessing the web. What you are asking for would end up blocking all outbound traffic

  • Good question! In linux its straight forward. But in pfSense this 'seems' not possible :(

  • LAYER 8 Global Moderator

    You can filter on the egress with a floating rule - and even pick the alias this firewall.. But you have to look into when traffic is natted and would it be blocking traffic from client that was natted, etc.

    I am just at a loss to why you would want/need to do such a thing - this is not a server where other stuff might be running that you don't want to have internet..  The only traffic the firewall would create is checking on updates - which you can turn off, and like the resolver looking up stuff your clients asked for..

    This is your SECURITY appliance, which have to assume is trusted ;)  What sort of traffic is it creating that you feel needs to be firewalled?

    I can see it now - my firewall can not get a IP on its wan.. Well maybe because you blocked the firewall from talking out the wan interface with a firewall rule… Why is unbound not working.. My package list doesn't update, etc. etc..  My gateways show down and nothing works... Because you blocked pfsense from pinging your gateway so it thinks its sown? ;)

Log in to reply