Does default deny policy rely on user defined rules?

mikyniky · Dec 23, 2022, 10:13 AM

In the docs it states In a default two-interface LAN and WAN configuration, pfSense software utilizes default deny on the WAN and default allow on the LAN.

It's not clear to me if the above behavior is a result of inbuilt rules we cannot see in the GUI or due to the default rules installed on the LAN & WAN interfaces and new interfaces need to be appropriately configured with default rules.

For example, if I create a new interface for a local VLAN is it default deny or do I have to add a deny all rule at the end? I'm partly confused because I see many configs posted with a 'catchall' rule at the end to block all traffic which I assume is redundant. My testing tells me that new interfaces are default deny without any additional rules but I would like to confirm this critical feature.

Bob.Dig · Dec 23, 2022, 10:21 AM

@mikyniky No rules means nothing is allowed. On WAN there are no rules, so nothing is allowed. On first LAN.... see yourself.

mikyniky · Dec 23, 2022, 11:22 AM

@bob-dig Thank you, makes sense, that's what I assumed.