Firewall rules - questions

  • Having got pfsense working (love it already!!) I have some questions. The scenario is shared household, so I don't need to lock down others' network use, but I need to make sure the router is fairly secure (including against users whose friends have tried to edit it already!) and there are some URLs we all want to block.

  • (Any chance of a reply? Thanks!)

  • To limit gui, you must create a rule with your alias before going to advanced setup and disable antilock rule.

    For lists like ads, you can use squid or pfBlocker. Squid will help you in http and pfBlocker on firewall rules.

    For traffic shaping and other config setups, take a look at

  • Thanks, but this doesn't seem to answer the questions clearly yet, so I would like to ask more detail:

    I asked if there is a way to rate-limit GUI login attempts, but the answer doesn't explain what kind of "rule" one would create with an "alias" to do it.

    I asked if there is a way to simply block a handful of domains by regex or wildcard match without using external blocklists (that would block many other ads or not block the intended URLs = undesirable) and if possible without squid (due to concerns that squid would cache or log other users' activity = privacy-intrusive, or be too heavyweight or complicated for what I need), but the reply doesn't seem to answer it.

    Any chance of some more thought on the original questions in my previous post? Thankyou :)

  • Firewall rules are based on ips or names(using alias). Wildcard domains will not work.

    If you know php, you can change login gui to have your rate limit.

    Read some docs at or buy the pfsense book to understand better how this firewall works.

    The simply way to block domais is filling up aliases with domains ip range and then create a firewall rule to block network in this alias.

  • What about the 10 $ solution ?
    You have a pfsense box.
    Hook yourself up to the LAN interface.
    The Internet will be on the WAN interface.
    Now, slide some 5 $ network cards into your box.
    These cards will be known as OPT1, OPT2 etc.
    These interfaces will share the access in your "shared household".

    On the firewall page, for every OPTx firewall, lock down the acces to the "port 80" (the GUI).
    Lock down also the SSH port on these OPTx interface(s).

    By default, the OPTx won't be able to communicate between them, neither to the LAN.

    Only the LAN interface will have an access to the GUI, a special rule could be there on simple request you won't lock yourself out.

  • @Gertjan:

    What about the 10 $ solution ? … On the firewall page, for every OPTx firewall, lock down the acces to the "port 80" (the GUI).

    Or just two cards, one to my PC the other via a switch to arbitrary other PCs, with a firewall rule that connections from the second card can't access the router's web ports. A neat solution. Doesn't change the utility of a genuine lockout on the GUI but does solve the specific social problem (subject to locking the router away and keeping the key safe :)

Log in to reply