Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Request configurability of default catch-all block rules

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rcarr
      last edited by

      The default catch-all rules at the end of rules.debug are:

      block in log quick all label "Default block all just to be sure."
      block out log quick all label "Default block all just to be sure."

      Silently dropping unauthorized packets is a good idea when we want our net to remain invisible (as much as possible) to the outside world.  But if we're hosting services to the internet (www, smtp, etc), then we probably want to block unauth TCP packets with return-rst, block unauth UDP packets with icmp-as-dest(port-unr) – to mislead outsiders into thinking there's no packet-filter in place.

      It would be great if a future version of pfsense let one customize these catch-all rules.

      1 Reply Last reply Reply Quote 0
      • S
        sai
        last edited by

        You could just add your own rules at the bottom of the ruleset to do all these things. The catchall is a safety net, and its good to know that its there even if you make a mistake.

        1 Reply Last reply Reply Quote 0
        • R
          rcarr
          last edited by

          I thought about that, but user-defined rules aren't the last set of rules in rules.debug.  If I add my own catch-all, I'll block the VPN rules section, as well as IMSpector uPnPd and possibly other sections in the future.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            While I really appreciate your previous suggestions I do not understand the need for this.  Simply add a rule at the bottom of each screen's rule list to override it.

            However, if you are willing to submit a patch I will consider it.

            1 Reply Last reply Reply Quote 0
            • R
              rcarr
              last edited by

              Is there a resource you can point me to for the formal process of creating a pfsense patch?  Is there a resource which documents how your XML configuration system works so I can investigate which files to make the changes in?  Or should I just go spelunking around?

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                http://wiki.pfsense.com/wikka.php?wakka=SubmittingPatches

                1 Reply Last reply Reply Quote 0
                • R
                  rcarr
                  last edited by

                  Simply add a rule at the bottom of each screen's rule list to override it.
                  <<

                  Here's what happens in rules.debug when I add my own custom catch-all-block to the bottom of Firewall->Rules->WAN:

                  User-defined rules follow

                  .
                  .
                  .
                  pass in quick on $lan from 172.19.1.0/24 to any keep state  label "USER_RULE: Default LAN -> any"
                  pass in quick on $enc0 from any to any keep state  label "USER_RULE: Permit IPSEC traffic."
                  ===> block return-rst in quick on $wan proto tcp from any to any flags S/SA  label "USER_RULE: test return-rst block-all rule" <====

                  VPN Rules

                  pass in quick on fxp1 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
                  pass in quick on fxp1 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
                  –-> pass in quick on fxp0 inet proto tcp from port 20 to (fxp0) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" <---

                  enable ftp-proxy

                  pass in quick on fxp2 inet proto tcp from any to $loopback port 8022 keep state label "FTP PROXY: Allow traffic to localhost"
                  pass in quick on fxp2 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"

                  IMSpector

                  anchor "imspector"

                  uPnPd

                  anchor "miniupnpd"

                  My custom catch-all block rule for the $wan interface (denoted with '===>') appears before the VPN Rules, IMSpector and uPnPd sections.  It now interferes with one of the VPN rules (denoted with '--->').  I don't know what goes in IMSpector or uPnPd, but it's likely any catch-all block rules I'd add to the User-Defined section would interfere with them, as well as any future work you do adding additional sections to rules.debug after the user-defined section.

                  By definition, catch-all block rules like your "Default block all just to be sure" rules must appear at the end of the pf ruleset.  The WebGUI does not give you the ability to modify them, nor position these kinds of rules at the end.

                  I'll investigate creating a patch.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.