In this chapter, we covered a subject that goes to the core of pfSense's functionality: firewall rules. The default behavior of pfSense is to block all traffic, so we require rules to access other networks. The number of rules you add will depend on the complexity and requirements of your network, and as you add rules, the ruleset will become increasingly difficult to maintain and troubleshoot. One principle that cannot be stressed too much is the fact that the order of rules matters; rules are evaluated on a top-down basis, with rules above other rules taking precedence. Floating rules are evaluated last unless the Quick option is set, in which case they are evaluated first.

Finally, we considered scheduling and aliases. Scheduling enables us to apply rules more selectively (only at certain times), while aliases enable us to do what would be extremely difficult to do otherwise by allowing us to represent multiple IP addresses as a single entity. This is extremely helpful if we choose to blacklist or whitelist a site or groups of sites.

In the next chapter, we will consider a network technology whose most common use has been to overcome the issue of IPv4 address exhaustion, but which provides utility in such a way that it should survive the transition to IPv6: Network Address Translation (NAT).