pfSense block and pass rules which order to put them in

Networking & Firewalls
1

I’m doing a review on all of my FW rules on my pfSense. Deleting ones that are no longer valid and add ones that I need. But I seem to be a bit confused on the rule order for block and pass rules. I am not confused on the rule methodology.

Based on Tom’s video Getting Started With pfSense Firewall Rules and Troubleshooting States with pfTop. He says that you put your block rules at the top. But the Netgate documentation in some of their examples. They have a pass rule then a block/reject rule below the pass rule. An example of this in Netgate’s documentation, Restricting access to the administrative interface from LAN. I also read some documentation (which I can’t find anymore) about block rule positions that based on the position would cancel out the pass rule or vice versus. Or something similar to that effect.

My question is, when do you put a block in front of the pass and or a pass in front of the block? Here’s an example, I block port 53 to any both source and destination but I allow DNS on LAN net source to LAN Address. The pass rule for DNS is above the block and at the very end of my rule list. But if I put my block rule at the top then this would effectively block all DNS.

Another example would be, that I allow ICMP requests to specific networks. Yes, I’m aware about blocking ICMP requests. And that blocking them can be bad for your network. But I’m not blocking them, I’m just restricting them to where they can go on my networks. But by doing so I have effectively blocked ICMP requests out to the Internet. But I’m trying to understand how I can have what I need but still be able to ping out to the Internet.

I also want to block access to certain networks but I want to allow access to specific hosts that are in the blocked networks. So do I block the networks first and then pass to the specified host(s)? Or do I allow access to the specific network(s) and host(s) and then block all other access to those network(s)?

This leads me back to, when do you put block rules at the top and would you ever put a block rule below a pass rule somewhere within the rule list?

2

You put rules in the order that makes sense based on what you need to do. For example, you might write:
Allow dst IP (server) dst port 53 prot UDP
Deny dst IP (server) dst port 22
Deny dst IP (server) prot UDP
Allow dst IP (server)

This is a contrived example, but the result would be to allow UDP/53 (DNS), and anything that is TCP except port 22 (SSH). If you had them in a different order, like this:
Deny dst IP (server) prot UDP
Allow dst IP (server) dst port 53 prot UDP
Allow dst IP (server)
Deny dst IP (server) dst port 22

Then all UDP would be blocked, including 53, and all TCP would be allowed, including 22.

The order only matters when the rules would have some sort of interaction - meaning that they could affect the same packet, depending on the order they are in. For example, most of the time for simplicity you start with an “Allow source network equals LAN to reach everything” rule, and then put on any deny rules above that. But if you instead started with “Deny All”, you would then want to put the allow rules before the deny rule, so that things are actually allowed. In essence, this is the difference between Default-Allow, common for the LAN interface, and Default-Deny, common for the WAN interface. Overall, you should put the more specific rules above less specific rules.