Bug #3819

Firewall Rule Basics documentation dangerously misleading

Added by badon _ almost 7 years ago. Updated about 2 months ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:
0.01 h
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


On this page:

It says:

"The default on all interfaces is to deny traffic, and only what is explicitly allowed via firewall rules will be passed.

Which is misleading without further explanation. It needs to be clarified that the default out-of-the-box configuration of pfSense includes rules that explicitly allow all traffic to pass, so to deny traffic, those rules must be disabled or deleted. This detail is critical in applications where data leaks could be catastrophic, like the use case described here:

I could fix this myself, but I don't have a wiki account and I'm not sure how to get one. There are other problems on that page that could benefit from some clarification, but none of them are urgent like this issue is.

Here's a permalink to the page described in this report:


#1 Updated by Chris Buechler almost 7 years ago

  • Status changed from New to Resolved

You were reading it wrong, it didn't claim no traffic would be passed, it stated traffic not matching any firewall rules is blocked. I edited to clarify.

#2 Updated by badon _ almost 7 years ago

The phrase you changed it to is this one:

"Where no user-configured firewall rules match, traffic is denied."

That is incorrect, because the default rules that pass all traffic are not user-configured. The phrase should be this:

"Where no firewall rules match, traffic is denied."

I suggest another phrase be added that says something like this:

"The default firewall rules will pass all traffic."

It appears I am unable to re-open this bug.

#4 Updated by badon _ over 5 years ago

This is still not resolved. It still has incorrect information.

#5 Updated by Chris Buechler over 5 years ago

Not really, but I added yet another clarification.

#6 Updated by MSNYCgogma MSNYCgogma 6 months ago

  • File 116.gif added

#7 Updated by Jim Pingle 6 months ago

  • File deleted (116.gif)

Also available in: Atom PDF