Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Aliases

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 694 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GilG Offline
      Gil Rebel Alliance
      last edited by

      I am aware that specifying port types is done within the firewall rules.
      Can I ask why it is not possible to specify udp or tcp in the Port Aliases?
      Would this create additional confusion?

      I like to limit user access with OpenVPN connections using firewall rules, thus a pre-defined port list (Alias) is ideal.
      But, aliases are limited due to the fact that I cannot specify the port types.

      I guess I can create:
      "User-A" (tcp) firewall rule with "User-A_tcp" Port Alias, and then create
      "User-A" (udp) firewall rule with "User-A_udp" Port Alias.

      Is that the best method?

      11 cheers for binary

      1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan
        last edited by

        A firewall rule can be set to TCP, UDP, or both.

        8cdc144d-990d-42cb-8007-6975e8b26408-image.png

        A port has no notion of the protocol being used.

        So : "User-A" (TCP/UDP) firewall rule with "User-A" Port Alias.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • GilG Offline
          Gil Rebel Alliance
          last edited by

          Thanks Gertjan, that part is obvious.
          The point is I can't make one firewall rule for a service that requires a mix of tcp and udp ports.
          If I could specify the port type within the alias, then that may have been possible.

          The firewall rules filter for a specified type/s for all ports under the alias.

          I think it best to create several aliases that are grouped by type, then create several firewall rules in order to keep the firewalls as tight as possible.

          eg:
          Alias for Server X (tcp): 80, 137, 443, 554,555, 5004
          Alias for Server X (udp): 137, 2000, 5355, 8000-8102

          11 cheers for binary

          S 1 Reply Last reply Reply Quote 0
          • GilG Offline
            Gil Rebel Alliance
            last edited by

            The Aliases wont have port types, but the firewall rules can then pickup the wanted ports and the port type would be applied there.

            11 cheers for binary

            1 Reply Last reply Reply Quote 0
            • S Offline
              SteveITS Rebel Alliance @Gil
              last edited by

              @Gil said in Port Aliases:

              I can't make one firewall rule for a service that requires a mix of tcp and udp ports.

              While it would be handy, the rule generated has the port separate from the protocol:
              block drop in quick on em0 inet proto tcp from 10.0.0.0/24 to any port = netbios-ssn flags S/SA label "USER_RULE: Block SMB outbound". So if it were to work pfSense would presumably have to generate multiple rules, one for each protocol.

              That said, it generates multiple rule/lines for rules with one protocol and two ports. :)
              (https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html)

              Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.