Outbound rules?

  • I'm new to pfSense.  I did search the forum but didn't find anything pertinent to my question within the last 4 years (and in that time something may have changed).  So I'll ask….   :)

    I have a transparently bridged firewall (no IPs on the interfaces).

    In the OpenBSD world, I would write a rule like the following:
      pass out quick on $ext_if inet proto { tcp, udp } from any to any port 53 keep state

    That rule says to allow any computer on my network to access any external DNS server (port 53).  You can write a rule like that because it specifies the direction (out = outbound).

    How do I do this in pfSense?  Its recommended that all rules be put on one interface (WAN) and not to write any rules for the opposite (LAN) interface.

    If I make a pfSense rule on my WAN interface:

    TCP/UDP * * * 53 * none

    That essentially says to allow inbound (and outbound) access to port 53 on every single server, not just my servers that run DNS.  I don't want that.   I only want to open the inbound port to my dns server that needs it open because it has a dns server on it.  On the other hand, I need all of my internal machines to access DNS on any external server.

    This lack of direction on the rules seems to be a problem.  I assume I must be missing (not aware of) something?


  • I may have figured it out.

    TCP LAN net * * DNS_Port * none

    Presumably that says to allow my LAN network to access any external DNS?

  • Nope.  With this rule:

    TCP    LAN net    *    *    DNS_Port    *    none

    in place I cannot access DNS servers outside of the firewall.  That tells me that its the same issue I ran into on the WAN side of things.  When you're configured with a transparent bridge and no IPs on the interfaces – you can't use WAN or LAN in any of the rules.

    So in order to create outbound rules, I assume I'll have to go to firewall > Aliases and create an alias comprising the IPs of everything on my network and then use that alias in the rule in place of "LAN Net", correct?  Or is there another, cleaner option?

    1. DNS is TCP and UDP, DNS will not work just allowing TCP
    2. If you have no IPs set on your LAN, then "LAN network" is equal to nothing. you want any instead there.

  • CMB,

    Thanks.  I had TCP/UDP on the inbound but only had TCP on the outbound.  Its working now.

Log in to reply