Firewall Policy (pf)¶
This reference describes policy behavior using the pf model used by current t1n1wall releases.
Core principles¶
- Stateful filtering
- Explicit allow rules
- Default deny on untrusted paths
- Rule order matters
Rule design pattern¶
- Define source and destination clearly
- Limit service/port scope
- Add logging for critical controls
- Place specific rules before broad rules
IP Pools and pf tables¶
- IP Pools are represented as pf tables.
- You can use IP Pool objects as source/destination networks in firewall rules.
- DNS forwarder can populate selected pools dynamically from configured FQDN mappings.
- Validate table contents during troubleshooting before assuming rule logic is wrong.
Operational checks¶
- Confirm traffic creates expected states
- Confirm logs show pass/block decisions matching intent
- Remove stale or shadowed rules
Common misconfigurations¶
- Broad allow rule above restrictive rule
- Rule created on wrong interface
- NAT forward exists without matching allow policy
- Overly permissive management exposure
High-assurance guidance¶
- Use named aliases for maintainability
- Document each non-obvious rule intent
- Review and prune rules on a fixed schedule