Default-Deny
Blocks all traffic by default and only allows traffic that is explicitly permitted by rules.
1/39
| Term | Definition |
|---|---|
Default-Deny | Blocks all traffic by default and only allows traffic that is explicitly permitted by rules. |
Default-Allow | Allows all traffic by default and only blocks traffic that is explicitly denied by rules. |
First-match rule processing (top-down) | Firewall evaluates rules from top to bottom and applies the first rule that matches the traffic. |
Universal deny must be last | A final rule that blocks all remaining traffic and is placed at the bottom to catch anything not previously matched. |
Base Protocol | The primary communication protocol used (e.g. TCP, UDP, ICMP) |
Source Address | The IP address of the device sending the traffic. |
Source Port | The port number on the sending device associated with the session. |
Destination Address | The IP address of the device receiving the traffic. |
Destination Port | The port number on the receiving device that identifies the service (e.g. 80 for HTTP) |
Action | The decision taken by the firewall on matching traffic (allow, deny, reject, log). |
More rules = larger attack surface | Increasing the number of rules increases complexity and the potential for misconfigurations or security gaps. |
Internet | Lowest trust, External public network with the highest level of risk and least control. |
DMZ | Medium trust / Public-facing services, Isolated network segment that hosts public services while protecting the internal network. |
Intranet | Highest trust, Internal private network containing trusted systems and sensitive resources. |
Zone of Trust vs Zone of Risk | Concept of categorizing network areas based on security level and exposure to threats. |
RFC 1918 private addresses | Private IP address ranges reserved for internal use (10.0.0.0/8, 172.16.0.0–172.31.255.255, 192.168.0.0/16). |
Drop private source addresses at the internet edge | Block incoming traffic on the WAN interface that claims to originate from private IP ranges to prevent spoofing. |
NAT | Network Address Translation that modifies IP address information in packet headers to map private addresses to public ones. |
Port Forwarding | A NAT technique that directs incoming traffic on a specific public port to a designated internal device and port. |
Ingress filtering | Filtering incoming traffic to prevent malicious or unauthorized packets from entering the network. |
Egress filtering | Filtering outgoing traffic to prevent unauthorized or malicious traffic from leaving the network. |
Upstream filtering | Traffic filtering performed by an ISP or external provider before it reaches your network. |
pfSense default LAN outbound allowed | By default allows devices on the LAN to initiate outbound connections. |
pfSense default WAN inbound blocked | By default blocks unsolicited inbound traffic from the internet. |
ISO image | An exact sector-by-sector copy of a storage medium used to install operating systems or software. |
Round-Robin Load Balancing | Distributes traffic sequentially across multiple servers in rotation. |
Work-Based Load Balancing | Distributes traffic to the server with the least current workload or resource usage. |
Ping | A utility that uses ICMP to test reachability and measure round-trip time between devices. |
Tracert | A utility that traces the path packets take to a destination by identifying intermediate routers. |
Log Review | The process of examining system and firewall logs to identify errors |
Latency | The time delay between sending and receiving data across a network. |
ACL | Access Control List that defines rules to permit or deny traffic based on criteria such as IP |
Session | A two-way communication exchange between devices that maintains state information. |
ICMP | Internet Control Message Protocol used for error reporting and diagnostic functions. |
Fault Tolerance | The ability of a system to continue operating properly in the event of a failure. |
Buffer Overflow | A vulnerability where excess data overwrites memory |
Unified Threat Management (UTM) | A security solution that integrates multiple protection features such as firewall |
Bastion Host | A hardened, publicly accessible server designed to withstand attacks and provide controlled access to internal resources. |
Encryption termination at firewall | The process where encrypted traffic (e.g., SSL/TLS) is decrypted at the firewall for inspection and then re-encrypted before forwarding. |