I'm looking for help understanding the firewall rule order

  • Hi all.

    I guess I should first say that I have only started using pfSense recently (within past month) but have been playing with Linux for a long time and I would say I have "moderate" Linux knowledge though my work has me working with Windows primarily with various vendors for networking products. I will have to admit that because of the urgency of my predicament I setup pfSense with pfBlockerNG to block the top 20 spamming countries to start then started adding countries as they showed up on my mail server and I must say that my spam level has dropped to almost zero (By all means slap your forehead).

    Now, that I've had more time to research and even though I have it on a machine that average usage of system resources is below 3% according to the graphs I can see the shotgun approach is not as elegant as just whitelisting the countries from which I want to receive email. Also, I can see that it might not always be the case that all those resources are available so yet another reason to figure out/learn the more elegant solution.

    I can't seem to figure out how the whitelisting solution would work with forwarded ports i.e. a NAT pass rule for port 25 from (GeoIP US and Canada Whitelist) to a mail server. My understanding is that the way the rules are processed are from the top to the bottom and a packet moves down the list until it matches. I know that the default is to block but it seems that if there are no explicit rules it'll get to my pass rule and allow the traffic. However, there are still IPs within those countries that I would like to block (Comcast's DSL client IPs for example) and I'm not sure how I would do that other than to setup a blocklist (not sure if it should be a pfblocklist or an alias) before that rule. It seems that if I create that alias/blocklist I'm somehow not staying true to the minimalist "whitelisting only what you need" approach. How would I go about dealing with this?

    Is this making sense or am I overthinking this?
    Any recommendations?



  • LAYER 8 Netgate

    On your port forward firewall rule for port 25 just pass from where you want to receive mail (Source address). Everything else will be blocked unless passed by a different rule.

    That or block from where you don't want to receive mail then pass everything else. If you want to use the two rule approach I would suggest disconnecting the automatic firewall rule and manually creating both rules.

  • Thank you Derelict.

    Is there a way to have both an allow and an exception list with one rule?

    Just curious


  • LAYER 8 Netgate

    Not sure what you mean. That which is not passed is blocked. There is only pass or block.

    To my knowledge there is no way to test a source address twice. That's done with two rules.

    Rules are free, what's the dilemma?

  • It seems that the goal with setting up the firewall is to use as few rules as possible to minimize resource usage.

    Seems like 2 rules is the minimum in this situation.

    Thanks again for helping me work through it.


  • LAYER 8 Netgate

    Don't worry about the number of rules.

  • @Derelict:

    Don't worry about the number of rules.

    Unless you have hundreds or thousands of them.  That becomes hard to understand and maintain.

  • LAYER 8 Netgate

    Yeah. But nobody here has that. If they do and they're here they're using the wrong tool.

Log in to reply