Auto generated Firewall Rules in pfSense

Hi - first love the YouTube channel, very educational.

I am fairly new to PFSense, in the process of setting up a FW that provides VPN service for the entire family, as well as a DMZ where I host a server running a number of services including mail and XMPP.

Got the firewall rules and NAT working - using random high ports for SMPT and IMAP clients for forwarding these to port 25 and 143.

But - I must have enabled something odd - when checking the WAN FW rules today, a number of rules had been added, basically opening ports 25 and 143, forwarding these to … 25 and 143. The rules were created by ‘NAT Port forward’ .

Any clue on why these rules appeared in my firewall ? I do not wish to have low ports that frequently gets scanned and attacked open on my FW.

… one thought - I believe I switched from ‘Manual Outbound NAT’ to ‘Automatic outbound NAT’ - and back yesterday - would this generate rules on the WAN Interface ?

bt.w. Have Suricate enabled with blocking on the WAN interface - and found lots of block today- possibly related to the opened low ports.


Rules don’t appear randomly in pfsense so somewhere along the way you put them there. The only rule that is automatic is the antt-lockout rule on LAN.

I think I might have found the answer.

I have an FTP server running in DMZ on port 21.

I have a NAT rule translating an inbound port of say 22321 to 21 on the Port Forward page.

I then initially must somehow have created a FW rule on WAN allowing traffic to port 21 of the FTP server - the rule I was asking about.

I then later create a rule allowing traffic to port 22321 on the FTP server - thinking the FW rule had to refer to the external port, not the internal- and removed the first rule, which broke FTP access.

I think the confusion comes from when I took my CCSP exam may years ago - belive , at one point, that Cisco FW, used the external port for inbound traffic - but later changed that to the internal port.

Rule restored, FTP working again.

All of that - becomes irrelevant when going through an Onion Service, which establishes connections from inside the FW - but unfortunately stuff like Mozilla Thunderbird 86 does not yet support TOR/Socks 5 proxy.

Tom, I can replicate what happend - and pfSense DOES create WAN rules:

I create a NAT rule:
External port 9999
Internal IP:
Internal port: 100
Saved and submitted.

Next - go to Firewall Rules -> WAN - and by magic I have a pass rule created by *5/25/20 22:11:30 by NAT Port Forward ’ allowing traffic to port 100.

If I delete the NAT rule, this FW WAN rule stays in place.