Learn how to configure pfSense floating rules, aliases, and firewall policies to block unwanted ports and secure your network with simple practical steps. Our pfSense Support Team is always here to help you
Configure pfSense Floating Rules for Complete Network Control
Managing your network traffic becomes a lot easier once you understand how pfSense floating rules work. pfSense is a powerful open-source firewall that gives complete control over inbound and outbound connections. In this guide, we’ll walk through creating floating rules, aliases, and firewall policies that help tighten your network security, straight to the point.
Understanding pfSense Floating Rules
Floating Rules in pfSense are advanced firewall rules that can act across multiple interfaces, LAN, WAN, or others, and apply in either direction. They’re particularly useful when you want to handle traffic filtering for several interfaces at once.
Let’s look at how to configure a floating rule to block a specific port (in this example, TCP port 1337) that was flagged as a security risk.
Because protocol TCP port 1337 was flagged as a threat, we’ll close it to stop any backdoor attack.
Here, we are using the floating rule to disable the LAN and WAN interfaces from listening to port 1337 instead of configuring separate rules for each interface.
By default, this port is open. You can verify it by running:
$ telnet pfsense_IP 1337Now, go to:
Navigate to: Firewall > Rules > Floating > Add
Then configure the fields as follows:
- Action: Reject
- Interface: Use Ctrl key to select both LAN and WAN
- Destination port: 1337
- Log: Log packets that are handled by this rule
- Description: (Add your note)
- Save > Apply Changes
Now try connecting to port 1337 again:
$ telnet pfsense_IP 1337You’ll see the connection refused.
To view the logs, go to:
Status > System Logs > Firewall
Apply a filter using Destination Port 1337 to verify the packets are being blocked by your floating rule.
Creating Firewall Aliases
Aliases simplify firewall management by grouping multiple ports, IPs, or networks under one label. Let’s create aliases to allow only a few essential ports.
We’ll allow only ports 80, 443, 22, and 53 for TCP connections and block all others.
Navigate to: Firewall > Aliases > Ports > Add
Fill in:
- Name
- Description
- Type: Ports
- Ports: 80, 443, 22, 53
- Save
For UDP connections, add ports 53 and 123:
- Type: Ports
- Ports: 53,123
- Save > Apply Changes
To apply these on the LAN interface:
Navigate to: Firewall > Rules > LAN > Add
For TCP:
- Action: Pass
- Protocol: TCP
- Destination port range: “Alias name you defined”
- Save
For UDP:
- Action: Pass
- Protocol: UDP
- Destination port range: “Alias name you defined”
- Save > Apply Changes
Disable the default rule [Default allow LAN to any rule] so it doesn’t override your custom setup.
Check the corresponding box and choose Action > Disable.
Now test the allowed ports:
$ ssh user@LAN_IPTry connecting to any blocked port such as 389:
$ telnet LAN_IP 389Adding Firewall Rules
Firewall rules control how traffic passes through pfSense. Since we already defined the aliases, all other ports are blocked by default, even ping requests.
Try:
$ ping LAN_IPYou’ll notice it fails. To allow ICMP (ping) traffic, go to:
Firewall > Rules > LAN > Add
Then configure:
- Protocol: ICMP
- ICMP Subtypes: (Use Ctrl key to select) Echo Request, Time Exceeded, Destination Unreachable
- Save > Apply Changes
Now test ping again:
$ ping LAN_IPThis time it should respond successfully.
[If needed, Our team is available 24/7 for additional assistance.]
Conclusion
By using pfSense floating rules, aliases, and firewall rules together, you get precise control over which ports and protocols your network accepts or blocks. These rules not only protect against open-port vulnerabilities but also give you a structured, easy-to-manage firewall setup. If you want full visibility and command over your network’s security, mastering pfSense floating rules is the key, and this setup gives you exactly that.
