What are the "default pass rules"

  • I understand the default deny rule denies any traffic not explicitly passed.
    I noticed in the 2.2 changelog (https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes) that there is now an option to:

    log default pass rules as well as default block rules

    But, I haven't been able to track down any documentation on what exactly the default pass rule(s) is/are.  Where is this defined?

  • LAYER 8 Global Moderator

    Are you asking where you enable it?  See attached.

    By default anything the firewall itself does would be by default allowed.. If you look in the verbose listing of the rules with

    pfctl -vvsr

    You will see stuff labeled with stuff like
    "let out anything from firewall host itself"

    I would believe those would be included, etc.  Turn it on and take a look to what gets log.. Keep in mind log will fill up quick.  I would think the rules that get enabled but not shown in the gui when you enable dhcp server for example.

    But that would be a good suggestion for a wiki article ;)

  • Thanks! I understand where to turn it on, I just didn't understand what the "default pass rules" are or where the are defined. The command output works.

    Perhaps more importantly: are the default pass rules evaluated before or after user defined rules? I'm wondering if I can define rules for specific traffic that would otherwise be caught by the "let out anything from firewall host itself". For example, could I define a pass rule that matches outbound DNS traffic on the WAN interface and disable logging on it because I don't care about logging outbound DNS, but I do want the rest of the traffic that matches the default pass rule to be logged.

  • LAYER 8 Global Moderator

    good question - the way I currently understand it no..  What I call the hidden rules, not really hidden its just stuff that does not show up in the gui are processed before the rules in the gui, if they were set to log I don't see how setting up a duplicate rule in the gui without logging would over ride that.

    It would be really nice if there was like an advanced feature checkbox where the complete rule set could be listed in the gui and adjusted, so you could see the rules like what gets added when you enable a dhcp server on an interface, etc..  And then you could log or not log individual rules.

    Maybe version 2.3+ ;)

  • +1
    Are there any official channels for a feature request like that?

  • LAYER 8 Global Moderator


    While I think it would be a nice feature..  To be honest, there should prob be some restrictions on getting it enabled, and I doubt they would enable such a feature without funding.

    The forums are full enough of questions from people not understanding basic firewall principles and what direction rules are evaluated in, etc..  If you let them dick with the hidden stuff they would just break it that much quicker ;)

    Maybe have to pass a test before you get a code to enable it ;) hehehe

    edit:  Would be another sweet thing, maybe there is already - you can get a cert from riverbed, juniper, cisco, redhat, etc. etc..  maybe there should be some tests to get certified on pfsense ;)

    There are classes https://www.pfsense.org/university/

    But I don't think there is a actual test for certification, but maybe if you have passed the advanced course you could enable full rule set in the gui ;)  Then again if your at that level prob don't need to use the gui anyway and just modify the rules directly..

  • LAYER 8 Global Moderator

    Well good luck, but without funding you will prob not see that ever implemented, at least not in the next couple of versions.  But good luck.

  • It's been a while since I did this (and I'm away from home, so I can't try it now), but I think you can view the full rule set at the command line, which I believe includes the default pass/block rules.  There's a wiki post about that.

    Which, now that I re-read johnpoz's posts I see that's what he said.  In any event, there's a wiki page about it.

    It's probably a bad idea to let users change these, but a nicer way to view them might be kind of nice.  I've run into problems before where I turned on a bunch of logging options to figure out why something wasn't working as I intended. The logs don't make it easy to figure out what default block (or pass, I suppose) rule was responsible for blocking traffic.

  • LAYER 8 Global Moderator

    what version of pfsense are you using - back quite a few revision the option to list the actual rule was added..  example.

    As you see attached there is specific rule that if you use the

    pfctl -vvsr

    @5(1000000103) block drop in log inet all label "Default deny rule IPv4"
      [ Evaluations: 728190    Packets: 8165      Bytes: 965015      States: 0    ]

  • Sorry to resurrect an old thread. Not sure what the protocol for something like this is but….
    If you are looking for these "hidden rules", you can probably find them in /etc/inc/filter.inc

    At least, that's where I found the rules I needed. The other files in /etc/inc probably have similar rules as well.
    Just wanted to post this to save anyone else the time of looking through all the scripts to figure out where they are all stored.

Log in to reply