Create a subnets alias at firewall>aliases likel "localsubs". Add all your local subnets there. Then edit the default lan to any rule at firewall>rules, lan tab. Change source LAN-subnet to "single host or alias " and "localsubs". Now you have a single rule that will allow all your internal subnets out. If you need to block single IPs or ports or destinations add a bloc rule on top of this rule. First match wins. You also can use aliases here for a group of hosts or ports to sum up mulitple rules in one rule.

No, it is not possible unfortunately.

@sullrich: Create a firewall rule in Firewall -> Rules.  However we only control the initial state since pfSense is a stateful firewall (PF). Thanks for not beating the heck out of me with a clue bat.  :D

@mentalhemroids: :)  Ahhh… okay, so it's not some sort of parental control option for only allowing certain machines full access while limiting others.  That brings up an idea; does pfSense have a grouping option to associate firewall rules to a group of computers instead of setting up rules for separate machines?  Then you can manage your permissions by rule instead of making a rule for each machine.  I think that might be useful, but I'm guessing someone has already asked that question, and there is probably an option like that available already. This all probably sound dumb; I'm a little tired and may not be thinking all that clearly.  I even went through all the firewall settings looking for something similar; is there anything? Thanks for answering my first question.  That does make sense to have; it was a good idea. Aliases work as they do with firewall rules and nat rules.

Yes of course, excuse me!

Thats kinda spiffy.  Would be nice if we had a CIDR lookup tool based on this type of thing. mastrboy: you mean multiple aliases, not rules, eh?  because you just plug all of these into an alias and then reference the alias inside your firewall rule (1 rule required, 1 alias with multiple entries).

Yes that probably had something to do with it.  In the configuration I had in the past bridged some interfaces.  It is possible that I did not unbridge them.  Who knows I thought that I did?

@hoba: everything is generated dynamically from the config.xml (diagnostics>backup/restore if you want to look at it or manually edit it) I think, then, that that is where I need to focus for now.

gl with it m8  :D

http://www.google.com/search?q=site:forum.pfsense.org+%22static+port%22+voip which gives http://forum.pfsense.org/index.php?topic=3128.0;prev_next=prev

No problem. I'll test it later when it's ready. Cheers, //Eskild

THANK THANK THANK :P :P :P :P

correct. Not even Internet access should be possible.

block all port exept port 80 then move the pfsense web gui from port 80 to a differend port link 10000 or so install squid and config it as a transparten webproxy now port 80 can only be used for http torents and messingers  can not go true port 80 now

I have used this option too, but I have to have one of IP address and it cannot be blocket by static ARP… so there is no solution to block listed below mac address?

No, a snapshot.  Not 1.0.1.