<![CDATA[pfsense-rule-order: script to keep firewall rules in the right order automatically]]>pfSense always adds new rules to the bottom of the list. Every time you add one and forget to drag it to the right position, your security policy silently breaks. On top of that, any package that touches config.xml (pfBlockerNG being the obvious one) can shuffle your rule order without warning โ€” this has come up in multiple threads here with no built-in fix.

I got tired of manually fixing it every time so I wrote a small Python script that enforces rule order automatically.

How it works:

Add a numeric prefix to your rule descriptions in the GUI:

01 | Zoom UDP
02 | Zoom TCP
03 | Block IoT from accessing internal LAN
04 | Allow LAN to Whitelisted Internal Services

Run via cron every 5 minutes. Each run:

  1. Reads config.xml
  2. On first run โ€” assigns prefix numbers to all existing rules based on their current position
  3. Sorts rules by prefix number per interface
  4. If anything changed โ€” backs up config.xml, writes the updated version, reloads the filter
  5. If order is already correct โ€” does nothing

What it never touches:

  • pfBlockerNG auto rules (identified by pfB_ prefix in the description)
  • Floating rules (identified by <floating>yes</floating> in config.xml)
  • Tailscale rules (identified by interface = tailscale)

These exclusions cover my setup, but your setup may have other rules or packages that shouldn't be touched. If you run into something that needs to be excluded, open an issue on GitHub or reply here and I'll add it.

Works on WAN, LAN, and OPT interfaces independently.

Tested on pfSense CE 2.7.2. Requires Python 3.x (included in pfSense).

pfsense-rule-order

]]>https://forum.netgate.com/topic/200766/pfsense-rule-order-script-to-keep-firewall-rules-in-the-right-order-automaticallyRSS for NodeSat, 13 Jun 2026 00:33:30 GMTWed, 03 Jun 2026 05:21:56 GMT60<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Thu, 04 Jun 2026 07:10:58 GMT]]>@ngf

A newer pfSense will also give you access to the latest version pfBlockerng.
Your issue might auto solve itself.

]]>https://forum.netgate.com/post/1243651https://forum.netgate.com/post/1243651Thu, 04 Jun 2026 07:10:58 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 14:35:43 GMT]]>@tinfoilmatt same here, i had no idea that setting affected manual rules until now, good to know.

๐Ÿ™ thanks for the kind words on blocklist-manager, glad it's useful!

]]>https://forum.netgate.com/post/1243623https://forum.netgate.com/post/1243623Wed, 03 Jun 2026 14:35:43 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 14:27:21 GMT]]>At one point, I would've spent a lot of time parsing that blue infoblock in my own mind. I'm certain there are good use cases for the non-default options. But it either never occured to me, or I had forgotten that those last two do affect non-pfBlockerNG rule ordering. Thanks for the refresher.

By the way, I like what you're doing with your blocklist-manager tool.

]]>https://forum.netgate.com/post/1243622https://forum.netgate.com/post/1243622Wed, 03 Jun 2026 14:27:21 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 14:18:59 GMT]]>@tinfoilmatt said in pfsense-rule-order: script to keep firewall rules in the right order automatically:

Additionally (and with the default setting there)โ€”if for whatever reason you need a pass rule above pfBlockerNG's auto-added block rules, then the way to do that would be by way of the "Permit" feed group action options (i.e., actions "Permit Inbound" for WAN interface/s, "Permit Outbound" for LAN interface/s, or "Permit Both"). This would be the cleanest and most automated way to "whitelist" any pfBlockerNG false positives.

Thanks, I'll check with the default setting.
If that solves the reordering problem, the script is still useful as a general safety net for rule ordering, but the main reason here was clearly misconfiguration on my part.

]]>https://forum.netgate.com/post/1243621https://forum.netgate.com/post/1243621Wed, 03 Jun 2026 14:18:59 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 14:15:44 GMT]]>Additionally (and with the default setting there)โ€”if for whatever reason you need a pass rule above pfBlockerNG's auto-added block rules, then the way to do that would be by way of the "Permit" feed group action options (i.e., actions "Permit Inbound" for WAN interface/s, "Permit Outbound" for LAN interface/s, or "Permit Both"). This would be the cleanest and most automated way to "whitelist" any pfBlockerNG false positives.

]]>https://forum.netgate.com/post/1243620https://forum.netgate.com/post/1243620Wed, 03 Jun 2026 14:15:44 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 14:06:33 GMT]]>@tinfoilmatt I was not aware that this setting also affects manual rule ordering.
i will change back to the default and disable the script temporarily to see if that alone solves the problem.
thank you very much.

]]>https://forum.netgate.com/post/1243619https://forum.netgate.com/post/1243619Wed, 03 Jun 2026 14:06:33 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:56:45 GMT]]>Interesting. So those last two settings in the drop-down can and do affect 'manual rule' ordering.

So then why not use the default setting which leaves "All other rules" unaffected by pfBlockerNG?

]]>https://forum.netgate.com/post/1243618https://forum.netgate.com/post/1243618Wed, 03 Jun 2026 13:56:45 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:54:33 GMT]]>@tinfoilmatt said in pfsense-rule-order: script to keep firewall rules in the right order automatically:

Firewall 'Auto' Rule Order

aa4b408f-ea7b-4cc8-a7c8-c0cffee10854-image.png

]]>https://forum.netgate.com/post/1243617https://forum.netgate.com/post/1243617Wed, 03 Jun 2026 13:54:33 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:49:48 GMT]]>

my issue was specifically manual rules getting reordered relative to each other

This wouldn't be caused by pfBlockerNG's cron job. The order of non-pfBlockerNG auto-added rules (i.e., 'manual rules') could only be changed manually.

What do you have for that package settingโ€”"Firewall > pfBlockerNG > IP > IP Interface/Rules Configuration > Firewall 'Auto' Rule Order"?

]]>https://forum.netgate.com/post/1243615https://forum.netgate.com/post/1243615Wed, 03 Jun 2026 13:49:48 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:43:41 GMT]]>@tinfoilmatt said in pfsense-rule-order: script to keep firewall rules in the right order automatically:

There are package settings which address auto-added rule ordering. Do those not cover your situation?

I looked at the pfBlockerNG rule order settings but they control where pfBlockerNG places its own auto rules relative to manual ones, not the order of manual rules themselves.
my issue was specifically manual rules getting reordered relative to each other, so those settings didn't help in my case.

]]>https://forum.netgate.com/post/1243614https://forum.netgate.com/post/1243614Wed, 03 Jun 2026 13:43:41 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:40:06 GMT]]>There are package settings which address auto-added rule ordering. Do those not cover your situation?

]]>https://forum.netgate.com/post/1243613https://forum.netgate.com/post/1243613Wed, 03 Jun 2026 13:40:06 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:37:46 GMT]]>The actual issue I ran into was pfBlockerNG's cron job moving my "Block IoT" rule below some Allow rules every hour.
it was already in the right place, pfBlockerNG just kept pushing it down.
That's what the script is for.

Regarding my version, yes, i know. i'm in the process of replacing the pfsense box.

]]>https://forum.netgate.com/post/1243612https://forum.netgate.com/post/1243612Wed, 03 Jun 2026 13:37:46 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:26:53 GMT]]>Whatever it's catching, I agree, is worth filtering.

]]>https://forum.netgate.com/post/1243610https://forum.netgate.com/post/1243610Wed, 03 Jun 2026 13:26:53 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:14:48 GMT]]>@tinfoilmatt said in pfsense-rule-order: script to keep firewall rules in the right order automatically:

Ditto for any LAN interfaces ..

Initially, I listed that one as well. But I spotted something strange, so I withdrew it.
So here it is :

c67f922f-1fd3-4ce6-871d-0481dac0dbae-image.png

After years of rule building ( I was in the past also a fan of "every packet needs its own rule", but then I found the cure and live was good again) I found rule number 3 and 4.
I added a final block all rule, but this one could never match, as the perfect rules 3 and 4 exist.
Still : rule 5 matches ones in a while 'something'. After a 'everything' there shouldn't be a 'something'.
Right ?

]]>https://forum.netgate.com/post/1243609https://forum.netgate.com/post/1243609Wed, 03 Jun 2026 13:14:48 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 13:07:45 GMT]]>Ditto for any LAN interfaces on which outbound filtering is performed. Plus it adds an easy logging 'toggle' for troubleshooting.

]]>https://forum.netgate.com/post/1243608https://forum.netgate.com/post/1243608Wed, 03 Jun 2026 13:07:45 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 12:59:46 GMT]]>@Gertjan that is actually a good policy.. And a very valid reason to have extra block rule there at the end vs just the hidden last rule. Nice..

]]>https://forum.netgate.com/post/1243607https://forum.netgate.com/post/1243607Wed, 03 Jun 2026 12:59:46 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 12:50:49 GMT]]>@ngf said in pfsense-rule-order: script to keep firewall rules in the right order automatically:

pfSense always adds new rules to the bottom of the list. Every time you add one and forget to drag it to the right position, your security policy silently breaks.

Good policy, if applied, can't be broken (it wouldn't be good to start with).
Let me explain with my 'policy' WAN rules :

4ee22dfd-02dc-4932-82f8-672f7f61f6b3-image.png

You see the last two rules ? These are the final 'block all' rules, separated for IPv6 and IPv4.
And yes, these two rules are the same as the 'hidden' default behavior : block all.

So, if you wanted to add a new WAN pass rule, it would be inserted at the bottom, being completely inoffensive. As soon as you see it, you have to drag it to to correct place, and save. Forgetting to do so won't get you fired. Policies won't get broken ๐Ÿ˜Š

@ngf said in pfsense-rule-order: script to keep firewall rules in the right order automatically:

Tested on pfSense CE 2.7.2.

Now you are breaking one of the most important security rules. 2.7.2 was good, and now 'ancient'.

]]>https://forum.netgate.com/post/1243606https://forum.netgate.com/post/1243606Wed, 03 Jun 2026 12:50:49 GMT<![CDATA[Reply to pfsense-rule-order: script to keep firewall rules in the right order automatically on Wed, 03 Jun 2026 11:47:46 GMT]]>@ngf said in pfsense-rule-order: script to keep firewall rules in the right order automatically:

pfSense always adds new rules to the bottom of the list

not it doesn't

rule.jpg

]]>https://forum.netgate.com/post/1243604https://forum.netgate.com/post/1243604Wed, 03 Jun 2026 11:47:46 GMT