Skip to content

Firewall Policy (pf)

This reference describes policy behavior using the pf model used by current t1n1wall releases.

Core principles

  • Stateful filtering
  • Explicit allow rules
  • Default deny on untrusted paths
  • Rule order matters

Rule design pattern

  1. Define source and destination clearly
  2. Limit service/port scope
  3. Add logging for critical controls
  4. Place specific rules before broad rules

IP Pools and pf tables

  • IP Pools are represented as pf tables.
  • You can use IP Pool objects as source/destination networks in firewall rules.
  • DNS forwarder can populate selected pools dynamically from configured FQDN mappings.
  • Validate table contents during troubleshooting before assuming rule logic is wrong.

Operational checks

  • Confirm traffic creates expected states
  • Confirm logs show pass/block decisions matching intent
  • Remove stale or shadowed rules

Common misconfigurations

  • Broad allow rule above restrictive rule
  • Rule created on wrong interface
  • NAT forward exists without matching allow policy
  • Overly permissive management exposure

High-assurance guidance

  • Use named aliases for maintainability
  • Document each non-obvious rule intent
  • Review and prune rules on a fixed schedule