Deny All Outbound

  • Evening,

    Trying to get my head around denying all outbound traffic from my pfSense box.  At the minute this is is in test before I move it live.

    My first rule is to block any protocol from LAN net to WAN net.

    I then have my rules to allow:
    UDP 53 to selected servers from LAN net
    TDP/UDP 123 to selected servers from LAN net
    TCP 80 + 443 s from LAN net
    I then have other rules such as:
    UDP 500 + 4500 to my mobile phone provider for WiFi calling

    Then the two built in rules at the bottom IPv4+6 LAN Net to anywhere Default allow LAN IPv4/6 to any rule which is set to block.

    Have I done this right?  Certain things that access specific ports still seem to work, have I done anything wrong?

  • WAN net != The Internet.  It is only the actual defined subnet of your WAN.

  • LAYER 8 Global Moderator

    Yeah this question comes up like once a week ;)

    Maybe there should be some note on all the firewall tabs that blinks HUGE red letters – WAN net is not the internet ;) hehehe

    Its pretty clear on the firewall basic's page

    LAN net - The subnet configured on the LAN interface under Interfaces > LAN. On pfSense 2.2+, this also includes IP alias networks on that interface.
    LAN address - The IP address configured on the LAN interface under Interfaces > LAN
    zzz Net / zzz address - Works the same as LAN above but for other interfaces (WAN, OPT1, OPT2, etc.)

    Maybe we should really add a note there that specific for WAN net, that this is not the internet but only the network wan is connected too…  Going to add that now I think to the wiki.

Log in to reply