Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Package Service open without Firewall Rule

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 823 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • keyserK
      keyser Rebel Alliance
      last edited by

      Hi

      I have been wondering why some packages/built-in services needs a firewall rule to be accessible whereas others are accessible without a rule:

      FX: I need to create a firewall rule to be able to access the built-in DNS resolver/forwarder from my LAN interface. It's the same with the NTP daemon.
      But for the DHCP server there's no need to create a rule. I just installed the AVAHI package, and it's the same thing. I do not need to create a rule for them to work.

      I think that's rather confusing, and at times makes me wonder which "other services" might be locally available even though I have created no access rules :-)

      Love the no fuss of using the official appliances :-)

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        When the DHCP Server is enabled on an interface, pfSense puts pass rules into the rule set to allow the DNS requests… on that interface. In this case the needed rules are well-defined - the sys admin has specifically enabled DHCP on a certain interface(s) and so the underlying code can easily work out exactly what pass rules are needed so it can work.

        In the case of DNS, it is often set up so that DNS just listens the same on all interfaces. But in that case the sys admin does not usually really want DNS to respond on WAN (internet-facing) interfaces. So it is not such a good idea for pfSense to automatically add pass rules for DNS on every interface. Thus if you want the DNS Server to respond on an interface then you have to have a pass rule that lets the requests in.

        A little bit is mentioned at https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order - but it would be good if all the automatic rules were documented somewhere (maybe it is already?). And also would be nice if those automatically added rules showed up in the Firewall Rules display (read-only) so they are easily seen.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "And also would be nice if those automatically added rules showed up in the Firewall Rules display (read-only) so they are easily seen"

          Agree, this has been a long standing request has it not? Could make it a toggle that has to be enabled in advanced setting or something, since it more than likely would confuse some users.  Or guess they can show it like they show the anti lockout rule..  But fully agree, would be nice to see all the rules in the gui firewall tabs vs

          https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.