I have currently opened only port 443 and the Wireguard port for my web service.
I'm also blocking inbound traffic from the WAN using several DB aliases, such as AbuseIPDB and Firehol.
Would it be a good idea to block outbound wan traffic as well?
I'm also curious whether applying the floating rule might be a better approach.
No. You create same rule on LAN network (source is Lan network and destination are aliases you created, rest are the same).
https://docs.opnsense.org/manual/how-tos/drop.html
Generally speaking (not specific to OpnSense, @Vilhonator pointed to the OpnSense specific configuration manual entry) - when you're running public-facing services, you want to also take in consideration what's leaving your server (as a best rule practice, and part of the defense in depth strategy). Sometimes and for specific scenarios, a drop-all on both ingress and egress sides (while allowing only necessary inbound and outbound connections) is the best strategy, although it takes time and patience to configure correctly (and even so it might not protect you against data exfiltration via not blocked protocols, such as DNS). If you have an exposed web service, perhaps a waf of some sort (modsecurity, coraza, or the more expensive commercial ones) would help in addition to a firewall.
Quote from: Vilhonator on May 18, 2026, 03:29:39 PMNo. You create same rule on LAN network (source is Lan network and destination are aliases you created, rest are the same).
https://docs.opnsense.org/manual/how-tos/drop.html
Thanks for the link, you saved my day. I was about to ask same question.