Do you still need Windows Firewall if you have PFSense?

All my windows traffic goes through PFSense (also PFSense can only reach the internet if it’s through a VPN and also SSL). I also plan on installing Snort.

Now, can I (should I) somehow copy the windows Hosts file to PFSense and just kill Windows Firewall? (hosts file being the file the Firewall uses to block access to certain IPs/domains) - I was wrong, as Dexter_Kane pointed out, the hosts file is a DNS thing not a Firewall thing.

Windows Firewall sometimes takes up quite a bit of CPU ( I suspect because I have a lot of anti-microsoft anti spying rules in the hosts file), (also I don’t like microsoft).

[EDIT] Pointing out that PFSense is running on a VM inside my machine, and the only device connected to this PFSense is my Host PC.

You should probably keep it on. pfSense protects your network from the outside world, it probably isn’t protecting your devices inside your network from each other?

This doesn’t have much to do with firewalls. Is this another question?

That’s irrelevant to the question. If you don’t like Microsoft, don’t use their products. that’s not a good enough reason to turn off Windows firewall.

Why do you think its using a lot of cpu time?

As long as you trust everything on your LAN, then pfsense could do all your firewalling.

IMO, it’s not a bad idea to have both on. For host firewalls (Windows or otherwise), I’d try to keep the config simple. Do the complex stuff on the router.

As far as the hosts file is concerned, are you using that to disable WIndows telemetry or for some other purpose? Controlling behavior in PFSense with the hosts file is not ideal. It should be done with pf or nat.

1 Like

Do you wear a condom if she promises that she’s on the pill ??


I should have mentioned that PFSense runs inside a guest VM and the only device that connects to it is my Host PC. That’s it.

Hosts file blocks IPs and domains from reaching the internet. I’d say it’s firewall related :slight_smile:

I think it’s sometimes taking a lot of CPU time because I am monitoring it with process explorer. We could get into the long process stacks and threads about that but let’s not; let’s just see if we can replace windows firewall with pfsense :slight_smile:

No sir, I do not. Also in this case I can pull up my tricorder and monitor her pill situation.

Yes my good man. Telemetry. (I updated my post)

I just want to keep the telemetry&co in check without needing windows firewall, if that can be managed.

Is the windows machine behind the pfsense firewall or the firewall behind the windows machine?

If it’s the former and that’s the only thing the windows machine can talk to without going through the firewall then you could disable the windows firewall but I’d question why…

If you need a hosts file to stop your computer naccessing certain ips then sounds like your machine is untrusted in which case 2 firewalls are better than one. Keep them both on.

Solo PC -> pfsense VM -> rest of world.

My PC is “untrusted” and uses hosts file because it’s running windows 10. :wink:

Nothing untrustworthy about windows 10. fyi, the “telemetry blocking” stuff, don’t use anything more than host files (or the equivalent firewall rules) the other stuff can really screw up your machine.

Same rule still applies though, unless you have a good reason to turn it off, keep the firewall on. Start straying from good practice and you end up forgetting you did it and mess up sometime down the line.

1 Like

For most people I’d say no. Not that I think the Windows firewall is awesome or anything like that. But the Windows firewall monitors outbound connections, applications that listen on a port, and that sort of thing. When the Windows firewall detects that an application is looking to make its way out to the internet, it throws up a warning asking if you want to allow it. You may have noticed this with games like Diablo III.

You can block this outbound traffic with pfSense, but it’s significantly more painful to do so. Since the Windows firewall is integrated into Windows, you get the nice popup that allows you to open up outbound access right there on the spot. Where as if you want to do this through pfSense, everything is blocked until you fire up the application, find out that functionality doesn’t work, research which port(s) the application wants to use, and make pfSense allow them.

But if you’re looking to manage a pfSense firewall, you’re not most people. So this may be a viable option for you. If you’re looking to get into network security, you’ll want to know about all this fun stuff like blocking outbound traffic on specific ports at the firewall. But don’t shun the Windows firewall. There will come a time when having a firewall up and properly managed on client machines is a must. IPv6 gives us the glory that is end-to-end routing. One wrong route, and suddenly you have a Windows box sitting directly on the filthy, unwashed internet. Hopefully it has a software firewall running.

GlassWire would have that live stalking without much usage, but havent used it as firewall myself, just as this stalking thing like why is my Win10 sending few byte zigzags around globe to company servers

@Levitance @Eden Alright, I see your points. I’ll think about the ups and downs and what I feel like putting up with. My initial thought was, if I have the most secure enterprise router + firewall (pfsense), already taking my machine’s CPU, why also run windows firewall. But maybe I’ll keep it.

The pfsense VM is running on the windows machine in question?

Yes, the Host PC only has access to a network connection through the Microsoft Loopback Adapter, which gets its internet from the PFSense Virtualbox which runs on the same windows host. Here’s a guide:’-tcpip-stacks/

If you’re using the hosts file to ‘block’ the telemetry domains then this will work with or without the Windows firewall as this is a DNS thing and not a firewall thing.

1 Like

1 Like

Omg GlassWire sure looks sweet mate! I turned on the firewall and set it to Ask to Connect, and I get this elegant popup on bottom right of screen asking if I want to allow X new or recently changed thing to connect to the internet. And its GUI shows everything so nicely, unlike windows firewall’s windows 98 look :slight_smile:

Since the windows hosts file works without windows firewall, I’ll finish setting up Snort on pfsense, and disable windows firewall, and also use glasswire because it’s so totally rad.

[EDIT] I actually can’t do that. GlassWire uses the Windows Firewall API, it’s just a nice glossy overlay, not a firewall:


Both me and my friend got addicted to follow these addresses early on, its still unique tool for seeing tracking tentacles happening as they do

I’ve used Glasswire with Comodo before…
I just never used the firewall controlling part of Glasswire, only for the monitoring.