Interesting security flaw in Pfsense. When a NAT rule pinned to an interface loses the underlying interface, the default is to revert that rule back to WAN instead of disabling it or keeping the orphaned rule pinned to the interface.
This was a set of rules tied to OPT1, 2, 3, and 4. I now only have OPT1 and 2 after removing OPT3 and 4. OPT3 and 4 reverted to WAN, which is unintended behavior. On a different network architecture where Pfsense is the externally facing firewall, this can lead to a severe exposure of internal services.
Anyone else seen this before? Think it is worth reporting to Netgate? Maybe they fixed it already?
