🧭 1. What Are Firewall Rules?
Firewall rules in OPNsense define the core behavior of network traffic.
They determine which packets are allowed, blocked, or rejected when traversing the firewall.
Rules are evaluated at the packet filter layer, inspecting parameters such as source, destination, protocol, and port before applying the defined action.
⚙️ 2. Actions
| Action | Description |
|---|---|
| Pass | Allow the packet through. |
| Block | Drop silently without notifying the sender. |
| Reject | Block and send a reject message (TCP RST or ICMP). |
💡 Tip:
Use Block on WAN for stealth; use Reject on LAN to simplify troubleshooting.
🧩 3. Rule Evaluation Order
According to the official documentation, rule processing follows this order:
1️⃣ Floating Rules – Applied first; can affect multiple interfaces.
2️⃣ Interface Groups – Rules for grouped interfaces.
3️⃣ Interface Rules – Specific to individual interfaces (LAN, WAN, DMZ).
⚡ By default, each rule is Quick, meaning once a rule matches, evaluation stops immediately.
🔧 4. Rule Parameters
| Parameter | Description |
|---|---|
| Direction | Usually “In,” defines packet flow direction. |
| Interface | The network interface the rule applies to. |
| Protocol | TCP, UDP, ICMP, or any. |
| Source / Destination | IP addresses or aliases. |
| Port(s) | TCP/UDP port(s) for service control. |
| Schedule | Optional time schedule for rule activation. |
| Category / Description | Metadata for organization and management. |
🧰 5. Common Use Cases
✅ Allow LAN to Internet
- Interface: LAN
- Source: LAN subnet
- Destination: any
- Action: Pass
→ Grants outbound Internet access for internal users.
🔒 Block External Access to Internal Server
- Interface: WAN
- Source: any
- Destination: 192.168.1.10:22
- Action: Block
→ Protects internal SSH from public exposure.
🕐 Scheduled Access
- Schedule: Mon–Fri 09:00–18:00
- Action: Pass
→ Allows access only during work hours.
⚡ 6. Advanced Tips & Best Practices
| Topic | Recommendation |
|---|---|
| Rule Order | Rules are evaluated top-down; first match wins. |
| NAT Order | NAT executes before firewall filtering—ensure matching pass rules exist. |
| Floating Rules | Use for multi-interface policies or QoS tagging. |
| Default Policy | “Block by default, allow explicitly.” |
| Admin Safety | Avoid locking yourself out when modifying management rules. |
✅ 7. Summary
| Aspect | Description |
|---|---|
| Core Function | Packet filtering and flow control |
| Evaluation Order | Floating → Group → Interface |
| Default Strategy | Deny by default, allow specific traffic |
| Real-World Use | Internet access, inbound blocking, time-based rules |
Firewall rules are the foundation of security in OPNsense.
Proper planning and ordering ensure a secure and stable network environment.