pfSense Firewall - Rules, Aliases, and Traffic Filtering

The pfSense firewall is built on pf (packet filter) from OpenBSD and performs stateful packet filtering. Rules are applied per network interface and evaluated sequentially from top to bottom. A packet is handled by the first matching rule - no further rule evaluation takes place for that packet (first match wins). Traffic that does not match any rule is silently dropped by the implicit deny rule at the end of each ruleset.

This architecture demands careful rule ordering: more specific rules must be placed above general ones. Incorrect rule ordering is one of the most common causes of service accessibility issues.

In This Section

• Firewall Rules - creating and managing filtering rules, processing order, actions, floating rules, and state tracking
• Aliases - grouping IP addresses, networks, ports, and URLs for simplified rule management
• Schedules - time-based rule activation for temporary access restrictions
• Best Practices - security policy design, ruleset organization, and monitoring recommendations