I have noticed that OPNSense automatically generates some firewall rules for a various interfaces like WAN, LAN and so on. The general rule for firewalls is to always go deny first then allow at the bottom. However, I have noticed that the automatically generated firewall rules usually go by allow first then deny at the bottom. I have tried to edit them to change the order in which they appear but you can't adjust them. Are there any reasons why the automatically generated rules go in the reverse order ?
What firewall has an allow at the bottom? None i ever used.
there is always an explicit deny as last rule.
Everything is denied unless explicitly allowed above the deny all rule (at bottom).
The rules are evaluated top to bottom.
In my rather painful experience those automatic rules should not be messed with ... if you do (and you are new at this) I guarantee you will be making a post asking how to get in when you are locked out of your box (assuming you are using the gui).
TLDR: If you put a deny all rule above any of the other rules ... it will be denied / never evaluated.
Cheers,