Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Introduction to the Firewall Rules screen¶

This section provides an introduction and overview of the Firewall Rules screen located at Firewall > Rules. This page lists the WAN ruleset to start with, which by default has no entries other than those for Block private networks and Block bogon networks if those options are active on the WAN interface, as shown in Figure Default WAN Rules.

Tip

Click fa-cog the to the right of the Block private networks or Block bogon networks rules to reach the WAN interface configuration page where these options can be enabled or disabled. (See Block Private Networks and Block Bogon Networks for more details.)

Default WAN Rules¶

Click the LAN tab to view the LAN rules. By default, the only entries are the Default allow LAN to any rules for IPv4 and IPv6 as seen in Figure Default LAN Rules, and the Anti-Lockout Rule if it is active. The anti-lockout rule is designed to prevent administrators from accidentally locking themselves out of the GUI. Click fa-cog next to the anti-lockout rule to reach the page where this rule can be disabled.

Adding a firewall rule¶

To add a rule to the top of the list, click fa-level-up Add.

To add a rule to the bottom of the list, click fa-level-down Add.

To make a new rule that is similar to an existing rule, click fa-clone to the right of the existing rule. The edit screen will appear with the existing rule’s settings pre-filled, ready to be adjusted. When duplicating an existing rule, the new rule will be added directly below the original rule. For more information about how to configure the new rule, see Configuring firewall rules.

Editing Firewall Rules¶

To edit a firewall rule, click fa-pencil to the right of the rule, or double click anywhere on the line.

The edit page for that rule will load, and from there adjustments are possible. See Configuring firewall rules for more information on the options available when editing a rule.

Moving Firewall Rules¶

Rules may be reordered in two different ways: Drag-and-drop, and using select-and-click.

To move rules using the drag-and-drop method:

Move the mouse over the firewall rule to move, the cursor will change to indicate movement is possible.
Click and hold the mouse button down
Drag the mouse to the desired location for the rule
Release the mouse button
Click Save to store the new rule order

Warning

Attempting to navigate away from the page after moving a rule, but before saving the rule, will result in the browser presenting an error confirming whether or not to exit the page. If the browser navigates away from the page without saving, the rule will still be in its original location.

To move rules in the list in groups or by selecting them first, use the select-and-click method:

Check the box next to the left of the rules which need to be moved, or single click the rule. When the rule is selected, it will change color.
Click on the row below where the rule should be moved.

Tip

Hold Shift before clicking the mouse on to move the rule below the selected rule instead of above.

When moving rules using the select-and-click method, the new order is stored automatically.

Deleting Firewall Rules¶

To delete a single rule, click fa-trash to the right of the rule. The firewall will present a confirmation prompt before deleting the rule.

To delete multiple rules, check the box at the start of the rows that should be removed, then click the fa-trash Delete button at the bottom of the list. Rules may also be selected by single clicking anywhere on their line.

Disabling and Enabling Firewall Rules¶

To disable a rule, click fa-ban at the end of its row. The appearance of the rule will change to a lighter shade to indicate that it is disabled and the fa-ban icon changes to fa-check-square-o .

To enable a rule which was previously disabled, click fa-check-square-o at the end of its row. The appearance of the rule will return to normal and the enable/disable icon will return to the original fa-ban .

A rule may also be disabled or enabled by editing the rule and toggling the Disabled checkbox.

Rule Separators¶

Firewall Rule Separators are colored bars in the ruleset that contain a small bit of text, but do not take any action on traffic. They are useful for visually separating or adding notes to special parts of the ruleset. Figure Firewall Rule Separators Example shows how they can be utilize to group and document the ruleset.

Firewall Rule Separators Example¶

To create a new Rule Separator:

Open the firewall rule tab where the Rule Separator will reside
Click Separator
Enter description text for the Rule Separator
Choose the color for the Rule Separator by clicking the icon of the desired color
Click and drag the Rule Separator to its new location
Click Save inside the Rule Separator to store its contents
Click Save at the bottom of the rule list

To move a Rule Separator:

Open the firewall rule tab containing the Rule Separator
Click and drag the Rule Separator to its new location
Click Save at the bottom of the rule list

To delete a Rule Separator:

Open the firewall rule tab containing the Rule Separator
Click inside the Rule Separator on the right side
Click Save at the bottom of the rule list

Rule Separators cannot be edited. If a change in text or color is required, create a new Rule Separator and delete the existing entry.

Tracking Firewall Rule Changes¶

When a rule is created or updated the firewall records the user’s login name, IP address, and a timestamp on the rule to track who added and/or last changed the rule in question. If the firewall automatically created the rule, that is also noted. This is done for firewall rules as well as port forwards and outbound NAT rules. An example of a rule update tracking block is shown in Figure Firewall Rule Time Stamps, which is visible when editing a firewall rule at the very bottom of the rule editing screen.

Firewall Rule Time Stamps¶