Firewall Rule Basics documentation dangerously misleading
On this page:
"The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.
Which is misleading without further explanation. It needs to be clarified that the default out-of-the-box configuration of pfSense includes rules that explicitly allow all traffic to pass, so to deny traffic, those rules must be disabled or deleted. This detail is critical in applications where data leaks could be catastrophic, like the use case described here:
I could fix this myself, but I don't have a wiki account and I'm not sure how to get one. There are other problems on that page that could benefit from some clarification, but none of them are urgent like this issue is.
Here's a permalink to the page described in this report:
#2 Updated by badon _ almost 7 years ago
The phrase you changed it to is this one:
"Where no user-configured firewall rules match, traffic is denied."
That is incorrect, because the default rules that pass all traffic are not user-configured. The phrase should be this:
"Where no firewall rules match, traffic is denied."
I suggest another phrase be added that says something like this:
"The default firewall rules will pass all traffic."
It appears I am unable to re-open this bug.
#3 Updated by badon _ almost 7 years ago
For your convenience, here's the diff: