Is it possible to do inverse matching of tags in floating rules?

  • Hi everybody!

    Is it possible to set up a floating rule that blocks all outbound traffic on an interface that has not been tagged with a certain tag (inverse matching)? Essentially, I'm trying to find a way to implement the following pf-rule:

    block out quick on RED_NET ! tagged RED_NET_OK

    So far, the only possible solution I've found i to add the rule to "/etc/inc/", but I would rather not have parts of the ruleset outside of the user interface.

    Thank you in advance!

  • Rebel Alliance Developer Netgate

    There doesn't appear to be, but it may not be too difficult to add something that would at least let you enter, say, !RED_NET_OK in the Tagged field and then it sees that and splits out the ! into the right spot.

    Open a feature request at in the Rules/NAT Category and we'll see what we can do.

  • Thanks for the quick reply!

    I have created Feature Request #10186. I'm afraid I missed to set the category and I do not seem to have the rights to change it after pressing create.

    It looks as if the solution that you propose could be implemented with a small change to filter_generate_user_rule($rule) in around the lines

    if (!empty($rule['tagged'])) {
    		$aline['tagged'] = " tagged \"" .$rule['tagged']. "\" ";

    A small change to the input validation in firewall_rules_edit.php would also be required to allow the value of the "tagged" field to start with an exclamation mark.

    I will likely spend a few moments to write the code and patch my current installation of pfSense to enable this feature. Would it be of use to you if I clone the GIT repository and send in a patch file (of pull request) with my changes?

Log in to reply