The fundamental purpose of a firewall is to establish a barrier between trusted internal networks and untrusted external networks. We may sometimes also refer to personal firewalls, which are firewalls placed on individual nodes, primarily to filter outgoing traffic. All networking firewalls have the ability to perform packet filtering, which is the ability to inspect packets and determine if they conform to the packet filter's filtering rules. If they do not match the rules, the packets will be dropped.

In pfSense, rules are evaluated on a top-down basis. Thus, if you read the ruleset (the list of rules) from the top to bottom, the first rule that matches the packet will be applied, and the remainder of the ruleset will not be applied for that packet. As a result, the order in which rules are placed within a list is significant, and the most permissive rules should be placed at the bottom of the list.

pfSense is a stateful firewall, which means that it records all packets passing through it, and determines whether the packet is part of a new connection, part of an existing connection, or neither of these. If the packet is part of an existing connection, the reply traffic is automatically allowed through the firewall. This is the case even if the packet uses a different protocol than the original connection, such as ICMP control packets. This is known as stateful packet inspection.

While stateful packet inspection has been an integral part of almost all firewalls since the early 1990s, it comes with a downside. Each connection represents a state, and each state requires an entry in the firewall's state table. In pfSense, each state requires about 1 KB of memory. The state table has a maximum size, which can be set under System | Advanced and clicking on the Firewall & NAT tab (Firewall Maximum States, which sets the maximum number of connections, and Firewall Maximum Table Entries, which sets the maximum number of entries, which includes entries for everything that creates entries, including proxy servers, are the relevant settings here). If the number of connections exceeds Firewall Maximum States, then unpredictable behavior will occur, such as connections being dropped. This creates a potential attack vector, as some Denial of Service (DoS) attacks are based on bombarding the firewall with so many fake connection packets that the state table becomes overwhelmed, and starts dropping connections and preventing new connections from being made.

The two basic types of packet filtering are ingress filtering, which blocks traffic coming into your network from the Internet, and egress filtering, which filters traffic initiated within your network whose destination is either the Internet or another interface/subnet on your local network. It is easy to see why you would want to have ingress filtering, as we tend to want to protect our networks from nefarious forces outside of our networks. In fact, the default setting for pfSense is to block all incoming traffic, and there are no allow rules on the WAN interface by default (although as mentioned earlier, replies to connections already allowed by pfSense are allowed through the firewall). It is not as easy to see why egress filtering is necessary, as we tend to assume that all other things being equal, our local networks can be trusted.

There are, however, valid reasons for employing egress filtering. In spite of your best efforts, it is possible that malware may find its way onto your local network, and if you do not have some form of egress filtering, this malware will be able to phone home. The objectives of the malware may differ: the goal may be to send data back to a location controlled by the malware writer. The goal may be to use your computer as a bot which the malware writer controls for some purpose (for example, to send spam). It is also possible that compromising your network's security is the ultimate goal of the malware. Many of these programs use commonly allowed ports (for example, port 80, the default HTTP port) to circumvent egress filtering, but many do not. If you block port 6667, which is the default IRC port, you can cripple many bots that rely on IRC to function. Whatever the purpose is of the malware, lack of egress filtering will allow malware that is already running on your local network to achieve its purpose. Moreover, any reply traffic to the malware will also be allowed through the firewall. Thus, lack of egress filtering can result in harm being done to our networks.

Lack of egress filtering can also harm networks beyond our control. If malware or another party gains access to your local network, then your network can be used as a springboard to launch attacks on other networks. This includes attacks that involve IP spoofing, such as Distributed Denial of Service (DDoS) attacks, or spam or phishing campaigns. This can become especially problematic if you have several connections to the Internet. If you are running a DNS server on your network, someone might use it to host the zone data for a malicious domain. In short, you could unwittingly be an accomplice to criminal activities, which is definitely something we want to avoid doing.

Although in most cases egress filtering will only minimize damage done once a network is compromised, in some cases it can prevent a network from being compromised at all. Some malware requires outbound access in order to succeed at all, and by using egress filtering judiciously, you can stop it in its tracks. The Code Red worm is a good example of this, and any malware that requires downloading a file from an external site controlled by the malware writer can be stopped in such a manner.

Another reason for employing egress filtering is to prevent use of unauthorized software on our own network. Many peer-to-peer programs use atypical ports, which can easily be blocked via egress filtering. Some of these programs have become more sophisticated and will hop from port to port until they find one they can use, but by blocking all ports except those which are essential, we can minimize the use of these programs. In addition, egress filtering can, in many cases, prevent users from using VPN software, which otherwise could be used to bypass firewall rules and access unauthorized sites.

Finally, egress filtering can be used to prevent traffic from passing through your firewall that should never have outbound access. SMTP traffic on ports 161 and 162 come to mind; not only should SMTP traffic never pass through to the Internet, but allowing it to do so could compromise the security of your network by revealing information about what exists behind your firewall. You may also consider blocking DHCP traffic on ports 67 and 68 and SQL queries on port 118.