Egress filtering on 2.0 RC3



  • Hello All,

    I have done some digging but have not found any examples of blocking all outbound traffic to the wan except for what is explicitly allowed. I was able to create a rule to block port 25 outbound from all lan subnet hosts except the mail server….. But... The other not so much yet. I know the default allow all rule has to be disabled but I cant seem to get the other rules right. Can an alias be created containing all the allowed ports and protocol types instead of creating a boatload of rules? I would think so but again, new at pfsense and am having a bit of trouble with this task.

    Thanks for your help in advance!



  • I haven't spent much time with 2.0.x.. however.

    Generally, if you disable the default LAN –> any rule, pf will not pass any traffic until you specifically define what can pass.  All you have to do in the webgui is click the green arrow box on the left of the default allow rule, then click "Apply" at the top.  (I think in 2.0.x you may not have to click apply, but there is some kind of "Acknowledgement" on the top right?  I forget, but anyways, this is how it has always been.)

    Now just make a rule that goes like this...:

    Proto TCP | Source LAN subnet | source port any | destination any | destination port 80 | gateway default |

    This is just a simple example of passing web traffic from the LAN subnet to any destination.

    Here a pic of a firewalll on the LAN interface, using aliases to cover a group of ports.

    @aclouden:

    Hello All,

    I have done some digging but have not found any examples of blocking all outbound traffic to the wan except for what is explicitly allowed. I was able to create a rule to block port 25 outbound from all lan subnet hosts except the mail server….. But... The other not so much yet. I know the default allow all rule has to be disabled but I cant seem to get the other rules right. Can an alias be created containing all the allowed ports and protocol types instead of creating a boatload of rules? I would think so but again, new at pfsense and am having a bit of trouble with this task.

    Thanks for your help in advance!



  • Is this working for you ?
    I just tried and from the LAN Network I could still access service on other ports. The only traffic I allowed is HTTP and HTTPS, but other ports seems to work and nothing is blocked.

    I don't think adding another rule to block all other traffic is necessary since pfSense should block everything that is not explicitly stated in the firewall ?



  • if you can live with the fact that, you allow both tcp and udp traffic with same network port
    as an example: something needs to be sent to 16500/udp and no need to 16500/tcp, and you have your rule with tcp/udp, then both are going out



  • Setsuna:

    Check your rules and disable your default –> ANY rule on the LAN interface, this rule allows all traffic to traverse the LAN interface that is going outbound or in the local subnet.  Make sure you make a rule that will allow you to still talk to the LAN interface itself for admin of the pfsense box before you go disabling.

    The rules are parsed top-down I believe.  And...By default, everything should be blocked.  So anything that you open will be allowed specifically after you disable the default pass any rule.

    @Setsuna666:

    Is this working for you ?
    I just tried and from the LAN Network I could still access service on other ports. The only traffic I allowed is HTTP and HTTPS, but other ports seems to work and nothing is blocked.

    I don't think adding another rule to block all other traffic is necessary since pfSense should block everything that is not explicitly stated in the firewall ?


Log in to reply