Introduction to the Firewall Rules screen¶
This section provides an introduction and overview of the Firewall Rules screen located at Firewall > Rules. This page lists the WAN ruleset to start with, which by default has no entries other than those for Block private networks and Block bogon networks if those options are active on the WAN interface, as shown in Figure Default WAN Rules.
Tip
Click the to the right of the Block private networks or
Block bogon networks rules to reach the WAN interface configuration page
where these options can be enabled or disabled. (See
Block Private Networks and
Block Bogon Networks for more details.)

Default WAN Rules¶
Click the LAN tab to view the LAN rules. By default, the only entries are
the Default allow LAN to any rules for IPv4 and IPv6 as seen in Figure
Default LAN Rules, and the Anti-Lockout Rule if it is active.
The anti-lockout rule is designed to prevent administrators from accidentally
locking themselves out of the GUI. Click next to the anti-lockout
rule to reach the page where this rule can be disabled.
See also
For more information on how the Anti-Lockout Rule works and how to disable the rule, see Anti-lockout Rule and Anti-lockout.

Default LAN Rules¶
To display rules for other interfaces, click their respective tabs. OPT
interfaces will appear with their descriptive names, so if the OPT1 interface
was renamed DMZ
, then the tab for its rules will also say DMZ.
To the left of each rule is an indicator icon showing the action of the rule:
pass (), block (
), or reject (
). If logging
is enabled for the rule,
is shown in the same area. If the rule has
any advanced options enabled, an
icon is also displayed. Hovering the
mouse cursor over any of these icons will display text explaining their meaning.
The same icons are shown for disabled rules, except the icon and the rule are a
lighter shade of their original color.
Adding a firewall rule¶
To add a rule to the top of the list, click Add.
To add a rule to the bottom of the list, click Add.
To make a new rule that is similar to an existing rule, click to the
right of the existing rule. The edit screen will appear with the existing rule’s
settings pre-filled, ready to be adjusted. When duplicating an existing rule,
the new rule will be added directly below the original rule. For more
information about how to configure the new rule, see
Configuring firewall rules.
Editing Firewall Rules¶
To edit a firewall rule, click to the right of the rule, or double
click anywhere on the line.
The edit page for that rule will load, and from there adjustments are possible. See Configuring firewall rules for more information on the options available when editing a rule.
Moving Firewall Rules¶
Rules may be reordered in two different ways: Drag-and-drop, and using select-and-click.
To move rules using the drag-and-drop method:
Move the mouse over the firewall rule to move, the cursor will change to indicate movement is possible.
Click and hold the mouse button down
Drag the mouse to the desired location for the rule
Release the mouse button
Click
Save to store the new rule order
Warning
Attempting to navigate away from the page after moving a rule, but before saving the rule, will result in the browser presenting an error confirming whether or not to exit the page. If the browser navigates away from the page without saving, the rule will still be in its original location.
To move rules in the list in groups or by selecting them first, use the select-and-click method:
Check the box next to the left of the rules which need to be moved, or single click the rule. When the rule is selected, it will change color.
Click
on the row below where the rule should be moved.
Tip
Hold Shift before clicking the mouse on
to move the rule below the selected rule instead of above.
When moving rules using the select-and-click method, the new order is stored automatically.
Deleting Firewall Rules¶
To delete a single rule, click to the right of the rule. The firewall
will present a confirmation prompt before deleting the rule.
To delete multiple rules, check the box at the start of the rows that should be
removed, then click the Delete button at the bottom of the list.
Rules may also be selected by single clicking anywhere on their line.
Disabling and Enabling Firewall Rules¶
To disable a rule, click at the end of its row. The appearance of the
rule will change to a lighter shade to indicate that it is disabled and the
icon changes to
.
To enable a rule which was previously disabled, click at the
end of its row. The appearance of the rule will return to normal and the
enable/disable icon will return to the original
.
A rule may also be disabled or enabled by editing the rule and toggling the Disabled checkbox.
Rule Separators¶
Firewall Rule Separators are colored bars in the ruleset that contain a small bit of text, but do not take any action on traffic. They are useful for visually separating or adding notes to special parts of the ruleset. Figure Firewall Rule Separators Example shows how they can be utilize to group and document the ruleset.

Firewall Rule Separators Example¶
To create a new Rule Separator:
Open the firewall rule tab where the Rule Separator will reside
Click
Separator
Enter description text for the Rule Separator
Choose the color for the Rule Separator by clicking the
icon of the desired color
Click and drag the Rule Separator to its new location
Click
Save inside the Rule Separator to store its contents
Click
Save at the bottom of the rule list
To move a Rule Separator:
Open the firewall rule tab containing the Rule Separator
Click and drag the Rule Separator to its new location
Click
Save at the bottom of the rule list
To delete a Rule Separator:
Open the firewall rule tab containing the Rule Separator
Click
inside the Rule Separator on the right side
Click
Save at the bottom of the rule list
Rule Separators cannot be edited. If a change in text or color is required, create a new Rule Separator and delete the existing entry.
Tracking Firewall Rule Changes¶
When a rule is created or updated the firewall records the user’s login name, IP address, and a timestamp on the rule to track who added and/or last changed the rule in question. If the firewall automatically created the rule, that is also noted. This is done for firewall rules as well as port forwards and outbound NAT rules. An example of a rule update tracking block is shown in Figure Firewall Rule Time Stamps, which is visible when editing a firewall rule at the very bottom of the rule editing screen.

Firewall Rule Time Stamps¶