Auto firewall rule when using DNS Resolver?



  • Should there be an auto rule when using DNS Resolver for UDP/53?

    I ask, as I am starting over on my firewall rules, I noticed it was blocking the DNS requests to pfSense on UDP/53. I would have thought that if you enable DNS Resolver it would have made an auto rule (like DHCP does)?

    I made a user rule for it, and all is working fine. I just wanted to make sure that was working as intended.

    EDIT: Actually, same question stands for NTP as well… Seems like if you turn it on/enable it, it should make the firewall rule for it?

    Jason



  • Not for Forwarder or Resolver, as it's common to want those to be user-defined in some specific manner. DHCP is different since its rules can only be configured one way to make it work correctly.



  • @cmb:

    Not for Forwarder or Resolver, as it's common to want those to be user-defined in some specific manner. DHCP is different since its rules can only be configured one way to make it work correctly.

    OK. Thanks!

    Would it be the same reason for NTP as well? Seems like that one should make make a rule automatically for UDP/123, but I may be missing something (happens often).



  • Correct, the same applies to NTP also. And pretty much every service with the exception of the DHCP server and relay (and their IPv6 equivalents).


  • LAYER 8 Global Moderator

    if you ask many people any auto created rules should be a no no ;)  Or atleast shown in the gui, etc.

    I think they just put in the dhcp rule because it would prob cause many less skilled users of of pfsense lots of grief trying to figure out why dhcp isn't working ;)  The default lan rule is any any which would allow any of the other services they run to work.



  • The 'hidden' rules are a definite pet peeve of mine.

    I'm OK with the system making automatic rules (in fact I think it SHOULD for NTP, DHCP, DNS when using those services in pfSense…), but I strongly believe they should ALWAYS be shown in the firewall rule lists.

    AKA - automatic is OK, hidden is not.

    Jason


  • LAYER 8 Global Moderator

    ^ agree they show the antilockout rule that opens your web gui ports, it shows the bogon and block private rules when you have those enabled.  Would love to be able to see all the rules in the gui, even if its a buried flag you have to set.

    Maybe even a collapsed section at the top for "system generated rules"


Log in to reply