Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Malesefx
      last edited by

      Hi All,

      I need your expertise in creating rules on pfsense.

      Default Lan Rule comes "Lan to Any" and I am trying to find out how secure is this rule? Leaving the "Lan rule to Any" means opening all the ports to public ?

      If the answer is YES, that means as I understand, it acts as router more than a firewall and permits all connections to pass.
      If the answer is NO, how Pfsense acts to let right connections pass or threat connections reject.

      and since security is the matter Should I disable the default rule and create bunch of rules such as

      Allow TCP 80 (HTTP) from LAN subnet to anywhere

      Allow TCP 443 (HTTPS) from LAN subnet to anywhere

      .Allow TCP 21 (FTP) from LAN subnet to anywhere

      Allow TCP 25 (SMTP) from LAN subnet to anywhere

      Allow TCP 110 (POP3) from LAN subnet to anywhere

      Allow TCP 143 (IMAP) from LAN subnet to anywhere

      …..so on

      Thank you so much in advance for your time.

      1 Reply Last reply Reply Quote 0
      • chpalmerC
        chpalmer
        last edited by

        Default Lan Rule comes "Lan to Any" and I am trying to find out how secure is this rule? Leaving the "Lan rule to Any" means opening all the ports to public ?

        Leaving the "Lan rule to Any" means opening all the outbound ports to public.

        Inbound rules (or lack of) block the unsolicited public from getting through into your stuff.

        If you want something coming in you have to allow it.

        Triggering snowflakes one by one..
        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

        1 Reply Last reply Reply Quote 0
        • J
          jigpe
          last edited by

          My rules on LAN esp. the ports are exactly the same. No worries about that. Just be mindful what ports to open.

          jigp

          1 Reply Last reply Reply Quote 0
          • M
            Malesefx
            last edited by

            As soon As I disable " Lan to any" and instead Put those rules below, There is no Internet, i can't even ping Pfsense Web Interface.

            Allow TCP 80 (HTTP) from LAN subnet to anywhere
            Allow TCP 443 (HTTPS) from LAN subnet to anywhere
            Allow TCP 21 (FTP) from LAN subnet to anywhere
            Allow TCP 25 (SMTP) from LAN subnet to anywhere
            Allow TCP 110 (POP3) from LAN subnet to anywhere
            Allow TCP 143 (IMAP) from LAN subnet to anywhere

            Any Idea ? I appreciate in advance

            1 Reply Last reply Reply Quote 0
            • chpalmerC
              chpalmer
              last edited by

              @Malesefx:

              As soon As I disable " Lan to any" and instead Put those rules below, There is no Internet, i can't even ping Pfsense Web Interface.

              Allow TCP 80 (HTTP) from LAN subnet to anywhere
              Allow TCP 443 (HTTPS) from LAN subnet to anywhere
              Allow TCP 21 (FTP) from LAN subnet to anywhere
              Allow TCP 25 (SMTP) from LAN subnet to anywhere
              Allow TCP 110 (POP3) from LAN subnet to anywhere
              Allow TCP 143 (IMAP) from LAN subnet to anywhere

              Any Idea ? I appreciate in advance

              The problem is that your client machines don't always instigate the connection for (say web browsing) from port 80.  You need to allow any for source and 80 for destination (instead of anywhere)

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                You don't have a rule to allow DNS on port 53 tcp and udp.

                Steve

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  and ping is ICMP echo request, allowing only TCP will block pings.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.