I was wondering about what was, if anything, was blocking DoT in my installation. I went through the pfSense installation a long while ago and my rules line up with the Installation How To but I see nothing to stop DoT being blocked in the firewall, unless I’ve misunderstood something.
Then I came across the Understanding pfSense unified firewall rules post. Here it emphasises deleting or disabling the default pfSense rules 12 and 13. There was no mention of that in the Installation How To and the fist I’ve seen of it. …… and still no DoT block, unless DTTS is supposed to sort it.
I note in this post there are 2 extra DoT rules created by the poster (although the first is entirely covered by the second, I think).
So what are the correct rules we should have and how is DoT blocked?
The two default techniques that would be responsible for blocking DoT are DTTS and the Dashboard’s built-in Enforce DNS firewalling rule.
DTTS inherently would be blocking DoT to any direct-IP connections. And the well known public DNS servers that use a hostname, are included in the built-in dashboard rule.
When you run adamone-setup configure and select the default option to automatically create firewall rules, there is an output at the end that says the following:
Rules have been created. Please go review them and Apply Changes. You will want to disable the default allow to any rules.
We do not automatically disable your default rules, we leave it up to you as the admin to ensure that your firewall rules are correct and indicate that you should disable the default rules.
Surely that should be explicitly covered with an image in the pfSense HowTo? After all, that should be the goto document for checking your setup is ok.
[edit]
Remember you only see the message to disable the rules at the command line the first time you install. You will never see it again so have nothing to remind you or check against. IMHO it should be in the pfSense HowTo.
[/edit]