Change default firewall action to "deny"

Referencing this forum post here:

I would like to make the case to have the default action for the Peplink firewall changed from “accept” to “deny”. At a minimum this change should be considered as far as inbound connections are concerned but ideally all of rules lists.


Firstly I would argue it is poor security hygiene these days to blindly accept traffic in this fashion. In the enterprise world most network administrators will be used to the concept of a firewall being “deny by default” or the concept of the “implicit deny at the bottom of the ACL” which requires them to explicitly configure rules to permit traffic to pass.

A firewall with a default action of “permit any any” is about as much use as a high security lock on your front door with the keys left in it and the door wide open.

It seems there are some users out there who do not notice the default action for their firewall is to accept any connection from any source to any destination, this is generally not a problem as whilst NAT is not a firewall it does for the most part prevent unexpected external access to devices behind their Peplink.

However, in the case of the referenced post the user believed they were securing their network by configuring firewall rules to explicitly permit traffic inbound, however due to incorrectly configuring those rules they were in fact no more secure than they would have been without them as traffic was being allowed in by the default action set to “accept”.

This can also create a false sense of security, as in the above case someone thought they were securing their network when in reality they were absolutely exposing services to the internet that they did not intend to do so in an uncontrolled fashion.

This would be a breaking change potentially for firewalls in the field, either where users have incorrectly configured their rules as in the above example or where people have simply configured no rules because it “just works without them” due to the default action.

Some logic would potentially need to be built into any software upgrades that would not modify configurations of already deployed and configure din the field, but this could become the new default setting going forward.

Further consideration could be made to help guide users to correctly configuring a firewall rule, for example a simple step by step wizard after they have configured a port forwarding rule could help less experienced users leverage the better security of having an appropriately configured firewall.

I would like to make this case even stronger for when Peplink starts to support IPv6 natively in their products. By the very nature of IPv6 most users will end up with devices directly connected to the public internet, this is not exactly desired in the vast majority of cases. The default action here should in my eyes absolutely be to drop unsolicited incoming traffic at the firewall.

To build on @WillJones recommendation:

I’d suggest treating the proposed default “deny all” rule in a manner similar to how the default password (upon initial configuration) is handled, with a one-time-only required step of acknowledging or modifying the default “deny all” rule.

When logging in the first time one is required to set the admin password. Add to that a step where one is alerted to the fact that “deny all” is the default, and then given the option to go to the firewall ruleset to modify this.

Having a default “deny all” rule without alerting the admin upon first boot-up could yield unhappiness among users who are unfamiliar with how firewalls work (we’ve seen examples), hence the benefit of a bit of a heads-up the first time the device boots up.



“Being deemed paranoid does not mean that you are not actually being attacked.”
– Anon.

I like the idea of having a big red warning sign on first login to draw attention to whichever way the rule is defaulted.

I agree also that blocking outbound by default would likely cause some problems with some users, particularly perhaps with the more consumer / prosumer Pepwave line of products where the end user may not be as experienced or knowledgable.

1 Like

I agree that the default should be deny and then anything that is needed is opened on a case-by-case basis. I am actually confused why the default is to allow all?