Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is a default block rule for Lan necessary? (newbie question)

    NAT
    4
    8
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doc_holiday
      last edited by

      I have set up PFsense and it seems to be running very well… plus I have learned a tonne about FreeBSD and networking (NAT in particular) in the process.

      I have the LAN running NAT with 192.168.x.x I assume by the very nature of the way NAT works that if I do not have any forwarding rules into my LAN, then no default inbound block rule is required.  Presently I only have a rule to allow traffic out of the LAN.

      Thanks for your help.  I just want to make sure everything is secure!

      TIA

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        There is an "invisible" rule at every interface that blocks any traffic at the bottom of your rules. This means anything not explicitly allowed will be dropped. To add a drop all rule at the bottom of your firewallrules is therefore not needed as it is generated by the system by default.

        1 Reply Last reply Reply Quote 0
        • D
          doc_holiday
          last edited by

          @hoba:

          There is an "invisible" rule at every interface that blocks any traffic at the bottom of your rules. This means anything not explicitly allowed will be dropped. To add a drop all rule at the bottom of your firewallrules is therefore not needed as it is generated by the system by default.

          I suspected so as that was what my tests revealed, but wanted to make 100% sure.  Thanks!

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            There's a note about this behaviour if no rules are present at all on an interface.

            1 Reply Last reply Reply Quote 0
            • D
              doc_holiday
              last edited by

              @hoba:

              There's a note about this behaviour if no rules are present at all on an interface.

              Can you tell me where?  I have read the entire m0n0wall docs and tried to read most of the stuff on the pfsense sites.  I just want to know in case I missed it in something I haven't read or if there is another resource that I don't know about.

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                In the webgui: Firewall>rules at the very bottom:

                Hint:
                Rules are evaluated on a first-match basis (i.e. the action of the first rule to match a packet will be executed). This means that if you use block rules, you'll have to pay attention to the rule order. Everything that isn't explicitly passed is blocked by default.

                1 Reply Last reply Reply Quote 0
                • R
                  Rockyboa
                  last edited by

                  Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule.

                  Martin

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    @Rockyboa:

                    Again, like I mentionned in the Firewall thread, the outgoing FTP is not block even with this invisible block all rule.

                    Martin

                    Block incoming on LAN to 127.0.0.1.  That will kill it.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.