1. Home
  2. pfSense® Software
  3. General pfSense Questions
  4. Firewall Rules

Firewall Rules

  • M

    Hi All,

    I need your expertise in creating rules on pfsense.

    Default Lan Rule comes "Lan to Any" and I am trying to find out how secure is this rule? Leaving the "Lan rule to Any" means opening all the ports to public ?

    If the answer is YES, that means as I understand, it acts as router more than a firewall and permits all connections to pass.
    If the answer is NO, how Pfsense acts to let right connections pass or threat connections reject.

    and since security is the matter Should I disable the default rule and create bunch of rules such as

    Allow TCP 80 (HTTP) from LAN subnet to anywhere

    Allow TCP 443 (HTTPS) from LAN subnet to anywhere

    .Allow TCP 21 (FTP) from LAN subnet to anywhere

    Allow TCP 25 (SMTP) from LAN subnet to anywhere

    Allow TCP 110 (POP3) from LAN subnet to anywhere

    Allow TCP 143 (IMAP) from LAN subnet to anywhere

    …..so on

    Thank you so much in advance for your time.

    0
  • chpalmer

    Default Lan Rule comes "Lan to Any" and I am trying to find out how secure is this rule? Leaving the "Lan rule to Any" means opening all the ports to public ?

    Leaving the "Lan rule to Any" means opening all the outbound ports to public.

    Inbound rules (or lack of) block the unsolicited public from getting through into your stuff.

    If you want something coming in you have to allow it.

    0
  • J

    My rules on LAN esp. the ports are exactly the same. No worries about that. Just be mindful what ports to open.

    jigp

    0
  • M

    As soon As I disable " Lan to any" and instead Put those rules below, There is no Internet, i can't even ping Pfsense Web Interface.

    Allow TCP 80 (HTTP) from LAN subnet to anywhere
    Allow TCP 443 (HTTPS) from LAN subnet to anywhere
    Allow TCP 21 (FTP) from LAN subnet to anywhere
    Allow TCP 25 (SMTP) from LAN subnet to anywhere
    Allow TCP 110 (POP3) from LAN subnet to anywhere
    Allow TCP 143 (IMAP) from LAN subnet to anywhere

    Any Idea ? I appreciate in advance

    0
  • chpalmer

    @Malesefx:

    As soon As I disable " Lan to any" and instead Put those rules below, There is no Internet, i can't even ping Pfsense Web Interface.

    Allow TCP 80 (HTTP) from LAN subnet to anywhere
    Allow TCP 443 (HTTPS) from LAN subnet to anywhere
    Allow TCP 21 (FTP) from LAN subnet to anywhere
    Allow TCP 25 (SMTP) from LAN subnet to anywhere
    Allow TCP 110 (POP3) from LAN subnet to anywhere
    Allow TCP 143 (IMAP) from LAN subnet to anywhere

    Any Idea ? I appreciate in advance

    The problem is that your client machines don't always instigate the connection for (say web browsing) from port 80.  You need to allow any for source and 80 for destination (instead of anywhere)

    0
  • stephenw10
    Netgate Administrator

    You don't have a rule to allow DNS on port 53 tcp and udp.

    Steve

    0
  • C

    and ping is ICMP echo request, allowing only TCP will block pings.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy