Firewall Invert Match question



  • Hello I need more information on this option on the Firewall rule. I wanted to know whats its function is? Does it concern stateful and stateless Firewalling? And IF yes which is PFsense? I looked for it on google couldnt get it.

    Thanks



  • If you look more closely to the UI you'll see that the invert match checkboxes are in the "source address" and "destination address" parts of the rule edit window. This means the inversion applies only to the addresses, i.e. "match any address except the one(s) listed".



  • @kpa:

    If you look more closely to the UI you'll see that the invert match checkboxes are in the "source address" and "destination address" parts of the rule edit window. This means the inversion applies only to the addresses, i.e. "match any address except th. e one(s) listed".

    Thanks for your reply. could you please give some more info on what you meant by "match any address except th. e one(s) listed"? thanks.



  • It inverts the match. Say you add a rule allowing any source to destination 8.8.8.8, that allows traffic to 8.8.8.8. Change that to inverted destination and it's allow to destination not 8.8.8.8 - e.g. anything but 8.8.8.8.



  • Further to this, and I feel really dumb for asking, perhaps because it's Friday, and I'm on my 3rd coffee.

    Does the Invert option only apply to the source/destination address line?

    Example, I want to make my rule reject outbound HTTPS traffic, except HTTPS destined for an alias for our company subnets.

    Will the rule shown as is attached:

    a. Reject ALL traffic on the LAN interface, except HTTPS traffic destined for net_internal?
    OR
    b. Reject ALL HTTPS traffic on the LAN interface, except if the destination matches net_internal?

    ![2016-06-10 10-20-33.png](/public/imported_attachments/1/2016-06-10 10-20-33.png)
    ![2016-06-10 10-20-33.png_thumb](/public/imported_attachments/1/2016-06-10 10-20-33.png_thumb)



  • That rule will reject all traffic except HTTPS to destination net_internal. It won't pass HTTPS to net_internal though, you need a pass rule for that, it just won't reject it (as it won't match the rule).



  • That's excellent!  We already have an allow all outbound rule, we just want to block internet HTTPS traffic that is not passed through our proxy.


Log in to reply