Creating firewall rules

Creating a firewall rule in pfSense is easy, even if getting it to do exactly what you want isn't. To begin, navigate to Firewall | Rules. The Rules page has several tabs:

Creating a rule involves the following steps:

  1. Once you have navigated to Firewall | Rules, click on the tab for the subnet for which you want to create the rule.
  2. Click on one of the Add buttons to add a new rule. One button has an up arrow and the other has a down arrow. The Add button with the up arrow adds a rule to the top of the list, while the one with the down arrow adds a rule to the bottom of the list. Rules are evaluated on a top-down basis, so where you place it on the list is crucial. You can always, however, move the rule to its correct location after the fact.
  3. Once the Edit page loads, you can start configuring the firewall rule. The first section of the page is Edit Firewall Rule.
    • The first setting is the Action drop-down box. This determines what happens to packets that match the rule. The options are:
      • Pass: Let the traffic pass
      • Block: Drop the packet silently
      • Reject: Drop the packet, but send back either a TCP RST error, or an ICMP port unreachable error (TCP RST, or reset, is for TCP packets; ICMP is for UDP packets)
  4. Whether or not you use Block or Reject will likely depend on your own circumstances. Reject allows the end user to know right away that access to the resource is not allowed, while with Block, the user's connection will eventually time out. If the user is attacking our network, Block can be a useful way of confounding the attacker, since they won't be able to tell whether there is a network error, the resource doesn't exist, or access to the resource is being blocked.
  1. The next setting is the Disabled checkbox, which allows us to disable the rule. This is useful if we want to temporarily disable the rule for testing. This setting allows us to do just that without deleting the rule from our ruleset.
  2. Let's look at the Interface drop-down box, which controls which interface packets must come from to match the rule. Note that we can set this to any interface, regardless of which tab we were on when we clicked on Add.
  3. The Address Family drop-down box allows you to select the version of Internet Protocol (IP) to which the rule applies. The choices are IPv4, IPv6, or both (IPv4+IPv6).
  4. The last option in this section is the Protocol drop-down box. This controls what protocol the packets must use in order for there to be a match. In most cases, we will be using either TCP (the default) or UDP, but there are many choices here.
  1. The next section is Source, which is the source the packet must have to be a match. Typically we leave the Source drop-down set to the default of any. There is also an Invert match checkbox, which enables us to invert the meaning of the source selected. For example, if we select LAN as the source, and we check the Invert match checkbox, the source for the rule will be all packets that do not have LAN as their source. Clicking on the Display Advanced button will cause the Source Port Range options to appear.
  2. The next section is Destination, which is the destination the packet must have to be a match. This is the setting we are more likely to change. As with Source, there is an Invert match checkbox, so that the match will be on the opposite of what we set here. The Destination port range allows us to set a port range or a single port.
  3. In the Extra Options section, there are several options:
    • If the Log checkbox is checked, pfSense will log packets that match the rule. Normally, we do not want to log packets just because they match a certain rule, since it will just use up disk space. If we are troubleshooting, however, or if we just need a record of every time the rule is invoked, we can enable this option.
    • We can enter a brief non-parsed description in the Description edit box.
    • There are several advanced options we can display by clicking on the Display Advanced button. We will not discuss all of the options available, but some of the more significant ones deserve a mention:
      • The Source OS option allows us to apply the rule only to packets that come from a specific OS. All of the common OS options are available (for example, multiple versions of Windows, Linux, and macOS), along with some less-common ones (for example, BeOS and OS/2).
      • Max src. states allows us to limit the number of states per host for a rule. This is potentially useful in blocking DoS attacks.
      • TCP Flags allows you to apply the rule only to packets with the specified TCP flags set. We will take advantage of this option later on to create a rule to block SYN flood attacks.
      • The Schedule option allows us to invoke the rule only during specific times, defined by a schedule entry. If you have created schedule entries, then they will appear in the drop-down box for Schedule, and you will be able to select the entry.
      • Gateway is useful in multi-WAN setups. If you want to send packets that match this rule to a gateway other than the default gateway, and you have more than one WAN interface, you can select the gateway in the drop-down box.
      • The In/Out pipe allows you to take packets coming in from one interface (the In interface) and send traffic leaving the interface to another interface (the Out interface).
      • Ackqueue/Queue allows you to pipe traffic into a specific traffic-shaping queue and send ACK traffic into a specific ACK queue. We will discuss traffic-shaping in greater detail in the next chapter.
  1. Once you are done configuring your rule, you can click on the blue Save button to save the rule. Once the page reloads, click on the Apply Changes button to force a reload of the firewall filter rules.
  1. The rule has now been added, but are the rules in the right order? If they aren’t, you can click on the new rule and drag it into the correct position. After moving the rule, click on the Save button at the bottom of the table and then click on the Apply Changes button to reload the rules.

The newly-created rule can be found on the table for the subnet to which the rule applies. There are a number of columns on the table, which tell us pertinent information about the rule:

In the rightmost portion of the column, there are several icons that enable us to perform tasks related to the rules. The icon that looks like an anchor allows us to move checked rules above the rule (there is a checkbox in the leftmost column of each entry). Clicking on this icon with the Shift key held down allows us to move checked rules below the rule. Clicking on the icon that looks like a pencil allows us to edit the rule. Clicking on the icon that looks like two pieces of paper on top of each other allows us to copy a rule. This can come in handy when creating a rule that only differs from an existing rule in one or two ways. Clicking on the icon that is a circle with a line through it allows us to disable a rule. The icon then changes into a box with a checkmark in it; clicking on it re-enables the rule. Finally, clicking on the icon that looks like a trash can allows us to delete the rule.