Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    understanding the firewall default rules

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 549 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bitfrost
      last edited by bitfrost

      Hi,

      I'm trying to understand in some detail what the firewall is doing. I have currently four interfaces: WAN, LAN and three opt interfaces.

      The documation I have found so far says that by default, all traffic ingressing the LAN interface will be allowed to go over the WAN interface /for the default configuration with only two interfaces, WAN and LAN/.

      Is it true that in my configuration with some opt interfaces, the default is automatically altered in that all traffic ingressing the LAN interface is blocked unless allowed by a rule? It is what my testing seems to show. (If that's true, that's very confusing indeed and it would be much better if the default was to block all traffic ingressing the LAN interface rather to secretly and to suddenly to change the default once another interface is added. Traffic being blocked by default is what I expect anyway. The default policy being secretly changed is like the last thing I would expect.)

      What about the other interfaces? Apparently, once there are more than a single non-WAN interface, all traffic ingressing them is being blocked unless explicitly allowed. Is this true?

      If this is true, there doesn't seem to be much difference between pfsense and a zone-based firewall.

      What are the default rules concerning the so-called floating rules, and the interface-group rules?

      Are there other rules or policies that may be secretly altered for some reason?

      Is it possible to create aliases from combinations of, for example, ip addresses or host aliases that include port specifications? It would seem useful if I could make an alias for, example, a server that offers multiple services involving a number of ports.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @bitfrost
        last edited by

        @bitfrost
        Nothing is secretly added or changed on pfSense.
        RTFM. You can find everything there you have to know.

        By default pfSense provides a firewall rule on the LAN, which allow access from LAN subnet to anywhere. This rule is meant for quickly getting it up.
        It's on you do remove or modify it and restrict source or destination IPs or ports or state a specific protocol.

        On all other interfaces there is no default pass rule. So to get any access you have to add rules by yourself.

        You can add aliases for IPs or ports or networks and use both in firewall rules after.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.