Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Deny All Outbound

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 761 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MattL88
      last edited by

      Evening,

      Trying to get my head around denying all outbound traffic from my pfSense box.  At the minute this is is in test before I move it live.

      My first rule is to block any protocol from LAN net to WAN net.

      I then have my rules to allow:
      UDP 53 to selected servers from LAN net
      TDP/UDP 123 to selected servers from LAN net
      TCP 80 + 443 s from LAN net
      I then have other rules such as:
      UDP 500 + 4500 to my mobile phone provider for WiFi calling

      Then the two built in rules at the bottom IPv4+6 LAN Net to anywhere Default allow LAN IPv4/6 to any rule which is set to block.

      Have I done this right?  Certain things that access specific ports still seem to work, have I done anything wrong?

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        WAN net != The Internet.  It is only the actual defined subnet of your WAN.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          Yeah this question comes up like once a week ;)

          Maybe there should be some note on all the firewall tabs that blinks HUGE red letters – WAN net is not the internet ;) hehehe

          Its pretty clear on the firewall basic's page

          LAN net - The subnet configured on the LAN interface under Interfaces > LAN. On pfSense 2.2+, this also includes IP alias networks on that interface.
          LAN address - The IP address configured on the LAN interface under Interfaces > LAN
          zzz Net / zzz address - Works the same as LAN above but for other interfaces (WAN, OPT1, OPT2, etc.)

          Maybe we should really add a note there that specific for WAN net, that this is not the internet but only the network wan is connected too…  Going to add that now I think to the wiki.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.11.1 | Lab VMs 2.8.1, 25.11.1

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.