• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Firewall Invert Match question

Scheduled Pinned Locked Moved Firewalling
7 Posts 4 Posters 35.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CallFromUSA
    last edited by Jun 1, 2016, 11:10 AM

    Hello I need more information on this option on the Firewall rule. I wanted to know whats its function is? Does it concern stateful and stateless Firewalling? And IF yes which is PFsense? I looked for it on google couldnt get it.

    Thanks

    1 Reply Last reply Reply Quote 0
    • K
      kpa
      last edited by Jun 1, 2016, 11:27 AM Jun 1, 2016, 11:24 AM

      If you look more closely to the UI you'll see that the invert match checkboxes are in the "source address" and "destination address" parts of the rule edit window. This means the inversion applies only to the addresses, i.e. "match any address except the one(s) listed".

      1 Reply Last reply Reply Quote 1
      • C
        CallFromUSA
        last edited by Jun 1, 2016, 6:05 PM

        @kpa:

        If you look more closely to the UI you'll see that the invert match checkboxes are in the "source address" and "destination address" parts of the rule edit window. This means the inversion applies only to the addresses, i.e. "match any address except th. e one(s) listed".

        Thanks for your reply. could you please give some more info on what you meant by "match any address except th. e one(s) listed"? thanks.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by Jun 2, 2016, 3:18 AM

          It inverts the match. Say you add a rule allowing any source to destination 8.8.8.8, that allows traffic to 8.8.8.8. Change that to inverted destination and it's allow to destination not 8.8.8.8 - e.g. anything but 8.8.8.8.

          1 Reply Last reply Reply Quote 0
          • M
            MMapplebeck
            last edited by Jun 10, 2016, 12:55 PM

            Further to this, and I feel really dumb for asking, perhaps because it's Friday, and I'm on my 3rd coffee.

            Does the Invert option only apply to the source/destination address line?

            Example, I want to make my rule reject outbound HTTPS traffic, except HTTPS destined for an alias for our company subnets.

            Will the rule shown as is attached:

            a. Reject ALL traffic on the LAN interface, except HTTPS traffic destined for net_internal?
            OR
            b. Reject ALL HTTPS traffic on the LAN interface, except if the destination matches net_internal?

            ![2016-06-10 10-20-33.png](/public/imported_attachments/1/2016-06-10 10-20-33.png)
            ![2016-06-10 10-20-33.png_thumb](/public/imported_attachments/1/2016-06-10 10-20-33.png_thumb)

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by Jun 10, 2016, 3:15 PM

              That rule will reject all traffic except HTTPS to destination net_internal. It won't pass HTTPS to net_internal though, you need a pass rule for that, it just won't reject it (as it won't match the rule).

              1 Reply Last reply Reply Quote 0
              • M
                MMapplebeck
                last edited by Jun 10, 2016, 4:10 PM

                That's excellent!  We already have an allow all outbound rule, we just want to block internet HTTPS traffic that is not passed through our proxy.

                1 Reply Last reply Reply Quote 0
                • N NollipfSense referenced this topic on Jul 21, 2023, 6:27 PM
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received