Using IP or port lists in firewall rules

Pentium100

Hello,

Usually I need to allow certain IPs to access certain ports (either on the pfsense router itself or NAT'ed). However, adding them one by one is very inconvenient meaning I have to create entries like this:

1. Allow IP 1.2.3.4 access port 80
2. Allow IP 1.2.3.4 access port 443
1. Allow IP 4.5.6.7 access port 80
2. Allow IP 4.5.6.7 access port 443
1. Allow IP 8.9.10.11 access port 80

With more ports and more IPs this becomes very confusing.

The way I would do it on a Linux router would be to do this

iptables -I INPUT -d tcp --dport 80 -j HTTPONLY
iptables -I INPUT -d tcp --dport 80 -j HTTPS
iptables -I INPUT -d tcp --dport 443 -j HTTPS

iptables -I HTTPONLY -s 8.9.10.11 -j ACCEPT

iptables -I HTTPS -s 1.2.3.4 -j ACCEPT
iptables -I HTTPS -s 4.5.6.7 -j ACCEPT

Now every IP is listed only once and I can add/remove IPs easily.

Is there a way to do something similar with pfSense?

KOM

Use Aliases for your hosts via Firewall - Aliases.  Create an alias for your rule to use and then add the hosts that you want to the list for that alias.  Then when making the firewall rule, use the alias instead of the individual host.  The rule will be applied to all hosts listed under the Alias.

Pentium100

Thank you. I even googled for this, but it did not occur to me to look at "Aliases".

KOM

You can also create aliases for TCP/UDP ports, so you could conceivably create only one firewall rule to handle a large number of hosts and ports.