I’m doing a review on all of my FW rules on my pfSense. Deleting ones that are no longer valid and add ones that I need. But I seem to be a bit confused on the rule order for block and pass rules. I am not confused on the rule methodology.
Based on Tom’s video Getting Started With pfSense Firewall Rules and Troubleshooting States with pfTop. He says that you put your block rules at the top. But the Netgate documentation in some of their examples. They have a pass rule then a block/reject rule below the pass rule. An example of this in Netgate’s documentation, Restricting access to the administrative interface from LAN. I also read some documentation (which I can’t find anymore) about block rule positions that based on the position would cancel out the pass rule or vice versus. Or something similar to that effect.
My question is, when do you put a block in front of the pass and or a pass in front of the block? Here’s an example, I block port 53 to any both source and destination but I allow DNS on LAN net source to LAN Address. The pass rule for DNS is above the block and at the very end of my rule list. But if I put my block rule at the top then this would effectively block all DNS.
Another example would be, that I allow ICMP requests to specific networks. Yes, I’m aware about blocking ICMP requests. And that blocking them can be bad for your network. But I’m not blocking them, I’m just restricting them to where they can go on my networks. But by doing so I have effectively blocked ICMP requests out to the Internet. But I’m trying to understand how I can have what I need but still be able to ping out to the Internet.
I also want to block access to certain networks but I want to allow access to specific hosts that are in the blocked networks. So do I block the networks first and then pass to the specified host(s)? Or do I allow access to the specific network(s) and host(s) and then block all other access to those network(s)?
This leads me back to, when do you put block rules at the top and would you ever put a block rule below a pass rule somewhere within the rule list?