Default deny rule question

jason0 · Aug 8, 2010, 5:12 PM

Hello,

I understand pfsense is set to "default deny" all inbound wan traffic out of the box. Does this rule explicitly appear in the wan's firewall rules, or is it just implied as a unwritten final rule?

Perhaps another way to put it is: can I turn off the default deny (by accident, hook, or crook)?

Thanks for your information…

--jason

dszp · Aug 8, 2010, 6:00 PM

You can simply add an allow all rule to the WAN if you want to allow all, and it will take precedence over the default deny. Of course you will also need to configure NAT forwarding if you want internal hosts to be accessible unless the hosts on the LAN have public IPs.

jason0 · Aug 8, 2010, 7:04 PM

So it IS implied.

Thanks!

dszp · Aug 8, 2010, 7:10 PM

Yes, deny all (minus some special rules for webconfig access from the LAN, etc.) is implied for all interfaces. That's why there's an explicit default allow all from LAN rule on the LAN :-)

jason0 · Aug 8, 2010, 7:25 PM

Perfect! Thanks!

cmb · Aug 9, 2010, 2:03 AM

The default deny rule is hard coded and cannot be removed, anything that doesn't match a user-defined rule hits it. Short of modifying the source code to take it out, you cannot disable it. You can override it with user-defined rules, essentially eliminating its purpose if you allow everything on every interface.