Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What are the "default pass rules"

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 4 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bradvido
      last edited by

      I understand the default deny rule denies any traffic not explicitly passed.
      I noticed in the 2.2 changelog (https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes) that there is now an option to:

      log default pass rules as well as default block rules

      But, I haven't been able to track down any documentation on what exactly the default pass rule(s) is/are.  Where is this defined?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Are you asking where you enable it?  See attached.

        By default anything the firewall itself does would be by default allowed.. If you look in the verbose listing of the rules with

        pfctl -vvsr

        You will see stuff labeled with stuff like
        "let out anything from firewall host itself"

        I would believe those would be included, etc.  Turn it on and take a look to what gets log.. Keep in mind log will fill up quick.  I would think the rules that get enabled but not shown in the gui when you enable dhcp server for example.

        But that would be a good suggestion for a wiki article ;)

        defaultpasslog.png
        defaultpasslog.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          bradvido
          last edited by

          Thanks! I understand where to turn it on, I just didn't understand what the "default pass rules" are or where the are defined. The command output works.

          Perhaps more importantly: are the default pass rules evaluated before or after user defined rules? I'm wondering if I can define rules for specific traffic that would otherwise be caught by the "let out anything from firewall host itself". For example, could I define a pass rule that matches outbound DNS traffic on the WAN interface and disable logging on it because I don't care about logging outbound DNS, but I do want the rest of the traffic that matches the default pass rule to be logged.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            good question - the way I currently understand it no..  What I call the hidden rules, not really hidden its just stuff that does not show up in the gui are processed before the rules in the gui, if they were set to log I don't see how setting up a duplicate rule in the gui without logging would over ride that.

            It would be really nice if there was like an advanced feature checkbox where the complete rule set could be listed in the gui and adjusted, so you could see the rules like what gets added when you enable a dhcp server on an interface, etc..  And then you could log or not log individual rules.

            Maybe version 2.3+ ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • B
              bradvido
              last edited by

              +1
              Are there any official channels for a feature request like that?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                https://doc.pfsense.org/index.php/How_can_I_get_a_feature_added

                While I think it would be a nice feature..  To be honest, there should prob be some restrictions on getting it enabled, and I doubt they would enable such a feature without funding.

                The forums are full enough of questions from people not understanding basic firewall principles and what direction rules are evaluated in, etc..  If you let them dick with the hidden stuff they would just break it that much quicker ;)

                Maybe have to pass a test before you get a code to enable it ;) hehehe

                edit:  Would be another sweet thing, maybe there is already - you can get a cert from riverbed, juniper, cisco, redhat, etc. etc..  maybe there should be some tests to get certified on pfsense ;)

                There are classes https://www.pfsense.org/university/

                But I don't think there is a actual test for certification, but maybe if you have passed the advanced course you could enable full rule set in the gui ;)  Then again if your at that level prob don't need to use the gui anyway and just modify the rules directly..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • B
                  bradvido
                  last edited by

                  Feature Request: https://redmine.pfsense.org/issues/4828

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Well good luck, but without funding you will prob not see that ever implemented, at least not in the next couple of versions.  But good luck.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      reggie14
                      last edited by

                      It's been a while since I did this (and I'm away from home, so I can't try it now), but I think you can view the full rule set at the command line, which I believe includes the default pass/block rules.  There's a wiki post about that.

                      Which, now that I re-read johnpoz's posts I see that's what he said.  In any event, there's a wiki page about it.

                      It's probably a bad idea to let users change these, but a nicer way to view them might be kind of nice.  I've run into problems before where I turned on a bunch of logging options to figure out why something wasn't working as I intended. The logs don't make it easy to figure out what default block (or pass, I suppose) rule was responsible for blocking traffic.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        what version of pfsense are you using - back quite a few revision the option to list the actual rule was added..  example.

                        As you see attached there is specific rule that if you use the

                        pfctl -vvsr

                        @5(1000000103) block drop in log inet all label "Default deny rule IPv4"
                          [ Evaluations: 728190    Packets: 8165      Bytes: 965015      States: 0    ]

                        pfsenserulenumbers.png
                        pfsenserulenumbers.png_thumb

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • C
                          CaptSpify
                          last edited by

                          Sorry to resurrect an old thread. Not sure what the protocol for something like this is but….
                          If you are looking for these "hidden rules", you can probably find them in /etc/inc/filter.inc

                          At least, that's where I found the rules I needed. The other files in /etc/inc probably have similar rules as well.
                          Just wanted to post this to save anyone else the time of looking through all the scripts to figure out where they are all stored.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.