Allow/Block all except some rules and how to disable firewall?

  • Hi all

    I am new to pfSense, so here are two newbie questions :)

    1. On every firewall there should be a possibility to Allow or Block all traffic except some defined rules. How to achieve this in pfSense?

    2. Is it possible to disable firewall completely, for example for testing purposes? How can I do it?

    Thanks for help.

  • Hi,

    I am also new to Pfsense, Maybe my reply can help you a -

    By default there is a LAN rule in PfSense which allow every request from every port from every host on network, So simply you can say firewall is by default disabled in PfSense initially.

    To Allow or Block all traffic except some defined rules yo can add your rules in firewall - rules from Pfsense dashboard.

  • No, the firewall is not disabled by default. It is on but the default rules allow all incoming traffic on the LAN interface and allows all outgoing traffic on any interface. Incoming traffic on interfaces other than LAN is blocked by default. The default rules are crafted so that you have internet access from LAN hosts without changing anything in the firewall but still provides protection from attacks from outside.

    If you want to change this default behaviour to let's say block all by default and allow only selected LAN hosts/protocols/ports to connect, you'll have to change the firewall rules on the LAN interface and disable or delete the default pass all rule(s) and add your own rules.

  • To get back to the original question:

    1. The firewall is default deny. You need to adjust the rules to suit. Default configuration is machines on the LAN are allowed out and inbound traffic is denied. Go to firewall, rules to adjust.
    2. This can be done by going to advanced, firewall/nat. As it says, it also disables NAT.

  • This is all you need to get started.

    Also to disable the firewall completely if you should happen to get locked out because of a bad firewall rule just type pfctl -d in the console. It re-enables itself so there's no need to type pfctl -e after making the necessary changes.