Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Consolidating rules with NOT (invert) operator

    Firewalling
    2
    4
    298
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GPz1100G
      GPz1100
      last edited by GPz1100

      I have device on a vlan I want to permit ftp access only to a specific server on a different vlan.

      9fbcc7dd-a32b-40b3-9f83-feb95b4e36c7-image.png

      The above works well to permit printer to send ftp traffic to nas1, but everything else is blocked. I thought I could combine this into a single rule using not (!) operator.

      03cb675e-7ce1-44ad-be7a-f2f121a1d20c-image.png

      Meaning, block all traffic not going to nas1 using port 21. It does indeed block all traffic, but also traffic destined for nas1/port21.

      If i'm understanding correctly, the reason being, firewall by default is block all, anywhere. Without explicit allow rule(s), this (single) rule does indeed block all traffic going anywhere but nas1, but doesn't permit traffic to nas1 either.

      Is there a way of formulating the original 2 rules into a functional single rule?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @GPz1100
        last edited by

        @GPz1100 if there are no other rules, your second rule in example 1 is unnecessary because of the default block.

        Your second example does not allow anything.

        Note passive FTP requires a large number of additional ports allowed for the data connections.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        GPz1100G 1 Reply Last reply Reply Quote 0
        • GPz1100G
          GPz1100 @SteveITS
          last edited by

          @SteveITS There is a floating rule that allows basic traffic on all vlans (dns, ntp, http(s), etc), but it's NOT set as quick, so other block rules can override.

          While I did not set or enable active ftp mode explicitly, it appears to allow it. The ftp server in question is part of truenas scale.

          In fact, in testing, passive ftp would not transfer at all with just the first allow rule above.

          7b2126dc-56b3-4f83-b45a-a2f33ebe7046-image.png

          This is a snapshot of the state table when a transfer is in progress with the single allow rule. I'm not entirely clear why the last 2 states are permitted as there's no other rules pertaining to these 2 end points?

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @GPz1100
            last edited by

            @GPz1100 I would guess your floating rule is allowing it if/since you're not blocking those ports otherwise. But, you say FTP transfer didn't work?

            Passive FTP ports are controlled by the server. Some use all 1024 through 65535.

            FWIW I usually prefer two rules just for clarity.

            The floating vs interface rule order may be involved here, too:
            https://docs.netgate.com/pfsense/en/latest/nat/process-order.html

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.