pfSense DMZ Trap Door Rule
One of the rules I need for my firewall is to allow established connections from my LAN to my DMZ, but block any newly created connection from my DMZ to my LAN. This is to prevent any potential compromise of my DMZ from spilling over into my LAN.
- Luckily pfSense can handle this with a simple rule. Start by going to and then select the DMZ tab.
- Next create a new rule by clicking on [+] and use the following settings.
- Action: Block
- Interface: DMZ
- Protocol: TCP/UDP
- Source: DMZ net
- Destination: LAN net
- Destination Port Range: Any
- TCP Flags Set: SYN[X]
- TCP Flags Out Of: SYN[X] ACK[X]