Default Deny behavior

erisan500 · Jul 25, 2013, 8:33 PM

Hi all,

I've just setup pfSense 2.0.3 on an ESXi 5.1 box. On ESXi I created vlans for LAN (10), WAN (100), DMZ (20).
I have a host in the LAN and DMZ.

While testing I discovered that I can ping the host in the DMZ although I didn't created any rules on the DMZ yet.
Is this expected behavior?

At http://doc.pfsense.org/index.php/Firewall_Rule_Basics I found: Firewall rules are processed from the top down, and the first match wins. The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.

Greetings,
Eric

phil.davis · Jul 26, 2013, 4:51 AM

LAN gets an allow all rule by default - so you can originate a ping from LAN to anywhere. That establishes a state, and the ICMP response from DMZ will come back to you.
That text needs a little extra:

The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed. The "factory defaults" and wizard add an allow all firewall rule on LAN.