Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What's Open After Install?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      VirGin
      last edited by

      Ola Folks,

      I installed pfSense on an older desktop as a gateway router and firewall. The WAN side connects to a wireless router, the LAN side connects to a hub.

      My question is: What is allowed to pass immediately after installation and / or factory settings reset?

      I ask because after installation, the clients on the LAN side have no trouble communicating to servers on all ports. I have not added a single rule.

      To me, it looks like pfSense is allowing everything by default rather than allowing nothing by default.

      HTTP, HTTPS, IRC and several others are being passed / allowed with just the three default rules (two on the WAN side and one on the LAN side).

      -V-

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Per default:
        From LAN: everything is allowed
        From WAN: everything is blocked

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • V
          VirGin
          last edited by

          Hello GruensFroeschli & All,

          OK.

          Correct me if I am wrong, but a machine on the LAN side should not be able to connect to anything on the WAN side without a specific rule allowing it. Is this correct?

          If the above is not correct, is it correct to consider that pfSense, by default, only limits inbound connections?

          Personally, I prefer firewalls that require pass / allow rules for everything that needs to go past the firewall. To accommodate this idea, would I have to disable the LAN allow all rule, then add the rules that I think are needed?

          Thank You,

          -V-

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            @VirGin:

            Correct me if I am wrong, but a machine on the LAN side should not be able to connect to anything on the WAN side without a specific rule allowing it. Is this correct?

            This is not correct.
            Per default everything from the LAN side is allowed.

            If the above is not correct, is it correct to consider that pfSense, by default, only limits inbound connections?
            Personally, I prefer firewalls that require pass / allow rules for everything that needs to go past the firewall. To accommodate this idea, would I have to disable the LAN allow all rule, then add the rules that I think are needed?

            Yes this is correct.
            However only for the LAN interface.
            Per default everything from the LAN is allowed because this is what you usually need.
            If you add other interfaces (OPT), per default no rules are on them
            –> everything is blocked.

            Yes if you remove the default rule on the LAN interface everything will be blocked.

            If you also want to block access to the webGUI you can disable the "anti-lockout rule" under advanced.
            Make sure you a rule in place allowing you back in or you just locked yourself out of the GUI ;)

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • V
              VirGin
              last edited by

              Ola GruensFroeschli,

              OK. Cool. Thank You.

              -V-

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.