Package Service open without Firewall Rule
-
Hi
I have been wondering why some packages/built-in services needs a firewall rule to be accessible whereas others are accessible without a rule:
FX: I need to create a firewall rule to be able to access the built-in DNS resolver/forwarder from my LAN interface. It's the same with the NTP daemon.
But for the DHCP server there's no need to create a rule. I just installed the AVAHI package, and it's the same thing. I do not need to create a rule for them to work.I think that's rather confusing, and at times makes me wonder which "other services" might be locally available even though I have created no access rules :-)
-
When the DHCP Server is enabled on an interface, pfSense puts pass rules into the rule set to allow the DNS requests… on that interface. In this case the needed rules are well-defined - the sys admin has specifically enabled DHCP on a certain interface(s) and so the underlying code can easily work out exactly what pass rules are needed so it can work.
In the case of DNS, it is often set up so that DNS just listens the same on all interfaces. But in that case the sys admin does not usually really want DNS to respond on WAN (internet-facing) interfaces. So it is not such a good idea for pfSense to automatically add pass rules for DNS on every interface. Thus if you want the DNS Server to respond on an interface then you have to have a pass rule that lets the requests in.
A little bit is mentioned at https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order - but it would be good if all the automatic rules were documented somewhere (maybe it is already?). And also would be nice if those automatically added rules showed up in the Firewall Rules display (read-only) so they are easily seen.
-
"And also would be nice if those automatically added rules showed up in the Firewall Rules display (read-only) so they are easily seen"
Agree, this has been a long standing request has it not? Could make it a toggle that has to be enabled in advanced setting or something, since it more than likely would confuse some users. Or guess they can show it like they show the anti lockout rule.. But fully agree, would be nice to see all the rules in the gui firewall tabs vs
https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset