Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Invert Match question

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 35.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CallFromUSA
      last edited by

      Hello I need more information on this option on the Firewall rule. I wanted to know whats its function is? Does it concern stateful and stateless Firewalling? And IF yes which is PFsense? I looked for it on google couldnt get it.

      Thanks

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        If you look more closely to the UI you'll see that the invert match checkboxes are in the "source address" and "destination address" parts of the rule edit window. This means the inversion applies only to the addresses, i.e. "match any address except the one(s) listed".

        1 Reply Last reply Reply Quote 1
        • C
          CallFromUSA
          last edited by

          @kpa:

          If you look more closely to the UI you'll see that the invert match checkboxes are in the "source address" and "destination address" parts of the rule edit window. This means the inversion applies only to the addresses, i.e. "match any address except th. e one(s) listed".

          Thanks for your reply. could you please give some more info on what you meant by "match any address except th. e one(s) listed"? thanks.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            It inverts the match. Say you add a rule allowing any source to destination 8.8.8.8, that allows traffic to 8.8.8.8. Change that to inverted destination and it's allow to destination not 8.8.8.8 - e.g. anything but 8.8.8.8.

            1 Reply Last reply Reply Quote 0
            • MMapplebeckM
              MMapplebeck
              last edited by

              Further to this, and I feel really dumb for asking, perhaps because it's Friday, and I'm on my 3rd coffee.

              Does the Invert option only apply to the source/destination address line?

              Example, I want to make my rule reject outbound HTTPS traffic, except HTTPS destined for an alias for our company subnets.

              Will the rule shown as is attached:

              a. Reject ALL traffic on the LAN interface, except HTTPS traffic destined for net_internal?
              OR
              b. Reject ALL HTTPS traffic on the LAN interface, except if the destination matches net_internal?

              ![2016-06-10 10-20-33.png](/public/imported_attachments/1/2016-06-10 10-20-33.png)
              ![2016-06-10 10-20-33.png_thumb](/public/imported_attachments/1/2016-06-10 10-20-33.png_thumb)

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                That rule will reject all traffic except HTTPS to destination net_internal. It won't pass HTTPS to net_internal though, you need a pass rule for that, it just won't reject it (as it won't match the rule).

                1 Reply Last reply Reply Quote 0
                • MMapplebeckM
                  MMapplebeck
                  last edited by

                  That's excellent!  We already have an allow all outbound rule, we just want to block internet HTTPS traffic that is not passed through our proxy.

                  1 Reply Last reply Reply Quote 0
                  • NollipfSenseN NollipfSense referenced this topic on
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.