• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Default Deny behavior

Scheduled Pinned Locked Moved Firewalling
2 Posts 2 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    erisan500
    last edited by Jul 25, 2013, 8:33 PM

    Hi all,

    I've just setup pfSense 2.0.3 on an ESXi 5.1 box. On ESXi I created vlans for LAN (10), WAN (100), DMZ (20).
    I have a host in the LAN and DMZ.

    While testing I discovered that I can ping the host in the DMZ although I didn't created any rules on the DMZ yet.
    Is this expected behavior?

    At http://doc.pfsense.org/index.php/Firewall_Rule_Basics I found: Firewall rules are processed from the top down, and the first match wins. The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.

    Greetings,
    Eric

    1 Reply Last reply Reply Quote 0
    • P
      phil.davis
      last edited by Jul 26, 2013, 4:51 AM

      LAN gets an allow all rule by default - so you can originate a ping from LAN to anywhere. That establishes a state, and the ICMP response from DMZ will come back to you.
      That text needs a little extra:

      The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed. The "factory defaults" and wizard add an allow all firewall rule on LAN.

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received