What's Open After Install?

VirGin

Ola Folks,

I installed pfSense on an older desktop as a gateway router and firewall. The WAN side connects to a wireless router, the LAN side connects to a hub.

My question is: What is allowed to pass immediately after installation and / or factory settings reset?

I ask because after installation, the clients on the LAN side have no trouble communicating to servers on all ports. I have not added a single rule.

To me, it looks like pfSense is allowing everything by default rather than allowing nothing by default.

HTTP, HTTPS, IRC and several others are being passed / allowed with just the three default rules (two on the WAN side and one on the LAN side).

-V-

GruensFroeschli

Per default:
From LAN: everything is allowed
From WAN: everything is blocked

VirGin

Hello GruensFroeschli & All,

OK.

Correct me if I am wrong, but a machine on the LAN side should not be able to connect to anything on the WAN side without a specific rule allowing it. Is this correct?

If the above is not correct, is it correct to consider that pfSense, by default, only limits inbound connections?

Personally, I prefer firewalls that require pass / allow rules for everything that needs to go past the firewall. To accommodate this idea, would I have to disable the LAN allow all rule, then add the rules that I think are needed?

Thank You,

-V-

GruensFroeschli

@VirGin:

Correct me if I am wrong, but a machine on the LAN side should not be able to connect to anything on the WAN side without a specific rule allowing it. Is this correct?

This is not correct.
Per default everything from the LAN side is allowed.

If the above is not correct, is it correct to consider that pfSense, by default, only limits inbound connections?
Personally, I prefer firewalls that require pass / allow rules for everything that needs to go past the firewall. To accommodate this idea, would I have to disable the LAN allow all rule, then add the rules that I think are needed?

Yes this is correct.
However only for the LAN interface.
Per default everything from the LAN is allowed because this is what you usually need.
If you add other interfaces (OPT), per default no rules are on them
–> everything is blocked.

Yes if you remove the default rule on the LAN interface everything will be blocked.

If you also want to block access to the webGUI you can disable the "anti-lockout rule" under advanced.
Make sure you a rule in place allowing you back in or you just locked yourself out of the GUI ;)

VirGin

Ola GruensFroeschli,

OK. Cool. Thank You.

-V-