Firewall Cheat Sheet

// iptables · pfsense · windows firewall · common patterns

// basics & chain management

List all rules with line numbers and packet counts:

iptables -L -n -v --line-numbers

Flush all rules (dangerous — do this on console, not SSH):

        
        iptables -F  # flush filter table

iptables -t nat -F  # flush NAT table

iptables -X  # delete user chains

Set default policies to DROP (deny all, allow specific):

        
        iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

// allow rules

Allow established and related connections (essential — add before DROP):

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow loopback interface:

iptables -A INPUT -i lo -j ACCEPT

Allow SSH from specific subnet only:

        
        iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT

Allow HTTP and HTTPS:

iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

Allow ICMP ping:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

// NAT & masquerade

Masquerade outbound traffic (for internet sharing / VPN gateway):

        
        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

DNAT — forward port 80 on public IP to internal server:

        
        iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80

// logging & rate limiting

Log dropped packets (place before DROP rule):

iptables -A INPUT -j LOG --log-prefix "IPT-DROP: " --log-level 4

Rate-limit SSH to prevent brute force (5 new connections per minute):

        
        iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP

Save rules (Debian/Ubuntu):

iptables-save > /etc/iptables/rules.v4

# or: netfilter-persistent save

⚠ pfSense rules are best managed via GUI. CLI commands below are for diagnostics and scripting via SSH console.

// diagnostics via ssh / console

Show current pf rules:

        
        pfctl -sr   # show rules

pfctl -sn   # show NAT rules

pfctl -ss   # show state table

Show interface statistics:

pfctl -si   # show info / counters

netstat -rn  # routing table

Reload rules without reboot:

pfctl -f /tmp/rules.debug  # load rules file

# Or via GUI: Diagnostics > Reload Filter

Kill all states (use with caution — drops all connections):

pfctl -Fs

// pfsense gui rule tips

Standard LAN-to-WAN rule — allow all outbound from LAN:

        # Interface: LAN | Action: Pass | Protocol: any

# Source: LAN net | Destination: any

# This is the default "allow LAN out" rule

Block specific host from accessing internet:

        # Interface: LAN | Action: Block | Protocol: any

# Source: 192.168.1.50/32 | Destination: any

# ⚠ Place ABOVE the allow LAN rule — rules are top-down

Allow inbound port forward (WAN → internal host):

        # Firewall > NAT > Port Forward

# Interface: WAN | Protocol: TCP

# Dest port: 443 | Redirect IP: 192.168.1.10 | Redirect port: 443

# Check "Add associated filter rule"

// netsh advfirewall (cmd / powershell)

Allow inbound TCP on port 8080:

        
        netsh advfirewall firewall add rule name="Allow 8080" protocol=TCP dir=in localport=8080 action=allow

Block outbound to a specific IP:

        
        netsh advfirewall firewall add rule name="Block IP" dir=out remoteip=203.0.113.5 action=block

Allow RDP only from specific subnet:

        
        netsh advfirewall firewall add rule name="RDP-LAN" protocol=TCP dir=in localport=3389 remoteip=192.168.1.0/24 action=allow

Delete a rule by name:

netsh advfirewall firewall delete rule name="Allow 8080"

// powershell (windows 8+ / server 2012+)

Allow inbound on port 443 via PowerShell:

        
        New-NetFirewallRule -DisplayName "Allow HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

List all enabled inbound rules:

Get-NetFirewallRule -Direction Inbound -Enabled True | Select-Object DisplayName, Action

Disable all rules matching a name pattern:

        
        Get-NetFirewallRule -DisplayName "*Remote*" | Disable-NetFirewallRule

// common security patterns

Default Deny (Whitelist model) — The correct approach for servers. Block everything, allow only what's needed:

        # Order matters — top to bottom

Allow loopback

Allow ESTABLISHED,RELATED

Allow specific service ports from specific sources

DROP everything else (default policy)

Port Knock Pattern — Hide SSH until a sequence is knocked:

        # Requires knockd — /etc/knockd.conf

[openSSH]

  sequence    = 7000,8000,9000

  seq_timeout = 5

  command     = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

  tcpflags    = syn

VLAN Isolation — Prevent VLAN-to-VLAN routing except for specific services:

        # pfSense: Add to each VLAN interface, above "allow VLAN out"

Block | Protocol: any | Source: VLAN2 net | Dest: VLAN1 net  # block IoT → LAN

Block | Protocol: any | Source: VLAN2 net | Dest: VLAN3 net  # block IoT → DMZ

Pass  | Protocol: any | Source: VLAN2 net | Dest: WAN net    # allow IoT → internet

Common Well-Known Ports Reference:

        21   FTP          22   SSH          23   Telnet

 SMTP         53   DNS          67/68 DHCP

 HTTP         110  POP3         123  NTP

IMAP         161  SNMP         389  LDAP

HTTPS        465  SMTPS        500  IKE/IPSec

Syslog       636  LDAPS        993  IMAPS

OpenVPN      1433 MSSQL        1723 PPTP

MySQL        3389 RDP          4500 IPSec NAT-T

SIP          5900 VNC          51820 WireGuard