If your firewall rules are not doing what you expect them to do, you will need to troubleshoot them, and odds are that it will happen at some point. The obvious first step is to diagnose the problem. For example, nodes on a particular network may not be able to access the internet. Narrowing the scope of the problem is important. If the problem is limited to a certain interface, or certain application/service or protocol, then it will help us in pinpointing the source of the problem.

It is good practice to start by checking the Floating Rules tab. This is because floating rules can take precedence over rules for an individual interface, and if the problem is a floating rule, we can save time that would have been spent checking (and probably double-checking) an interface’s ruleset.

If you are running a proxy setting, you may want to check the settings on the proxy before you check the affected interface’s ruleset. This is because a proxy server’s allow and deny lists will often take precedence over firewall rule settings.

Finally, if you still haven’t found the source of the problem, you will want to check the firewall rules for the affected interfaces. Remember that firewall rules are evaluated from the top down, and make sure that the order of the rules isn’t preventing the rule from taking effect. Also, check the allowed and/or blocked protocols for rules. One example of a rule in which protocol is crucial is a rule for a video server. If a rule is designed to allow video-streaming clients to connect to your video server, and the firewall rule for the server only allows TCP traffic to pass through an interface, a video-streaming client that uses UDP will not work.

If you want to find out whether a Pass rule is effective, then, as mentioned earlier, you may want to look at the rules table and check the States column. This is the leftmost column, and it tells us the number of current states created and the total amount of data that passed through the firewall as a result of packets matching this firewall rule.

If you hover your mouse over this column, you will see even more information, such as the total number of evaluations, packets, bytes, states, and state creations. If a Pass rule has been enabled for some time and no data is passing in connection with the rule, there are two likely possibilities:

• The rule is misconfigured.
• Traffic matches another rule before it gets to this rule. This may be as you intended; if not, you need to rethink your ordering of the rules.

pfSense makes disabling and enabling rules incredibly easy. Therefore, you should take advantage of this when troubleshooting. A good methodology is to disable one or more rules, take note of what happens on the network after they are disabled, and then re-enable the rules one at a time. As you do, you should take note of any changes that occur. This should help isolate the rule (or rules) that are causing the problem.

If this trial-and-error approach does not work, you might consider enabling logging for any rules you suspect may be the cause of the problem. Enabling logging usually is not recommended, as you can easily use up disk space doing this, but often examining the logs for rules can help. One you enable logging, navigate to Status | System Logs and click on the Firewall tab. There are a number of filtering options available (click on the filter icon at the top of the page, and they will appear), and they can be used to help find relevant entries. For example, you can filter the logs by source IP address and destination IP address, by source port and protocol, or destination port and protocol flags.

If the logs don’t offer enough information to troubleshoot the problem, you could use tcpdump, a command-line utility (which can be run from within the web GUI as well) which is included with pfSense. tcpdump is a packet-analyzer that can be used to print the contents of network packets. We will not cover tcpdump in depth here, but we will revisit it in Chapter 11, Troubleshooting, and if you want to augment your networking credentials, you might consider familiarizing yourself with this powerful utility.

There may be a situation in which you make a change to the firewall rules, and some traffic is getting through the firewall that seems to violate the new rules. If this happens, it is possible that the state-table entries for the connections that violate the rules predate the rule change. If you want the connections to be dropped, you must reset the state table. In order to reset the state table, navigate to Diagnostics | States and click on the Reset States tab. Click on the Reset button, which will empty the state table. This will also reset any active connections.