Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is it possible to do inverse matching of tags in floating rules?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 143 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lightwave
      last edited by

      Hi everybody!

      Is it possible to set up a floating rule that blocks all outbound traffic on an interface that has not been tagged with a certain tag (inverse matching)? Essentially, I'm trying to find a way to implement the following pf-rule:

      block out quick on RED_NET ! tagged RED_NET_OK
      

      So far, the only possible solution I've found i to add the rule to "/etc/inc/filter.inc", but I would rather not have parts of the ruleset outside of the user interface.

      Thank you in advance!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        There doesn't appear to be, but it may not be too difficult to add something that would at least let you enter, say, !RED_NET_OK in the Tagged field and then it sees that and splits out the ! into the right spot.

        Open a feature request at https://redmine.pfsense.org in the Rules/NAT Category and we'll see what we can do.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • L
          lightwave
          last edited by

          Thanks for the quick reply!

          I have created Feature Request #10186. I'm afraid I missed to set the category and I do not seem to have the rights to change it after pressing create.

          It looks as if the solution that you propose could be implemented with a small change to filter_generate_user_rule($rule) in filter.inc around the lines

          if (!empty($rule['tagged'])) {
          		$aline['tagged'] = " tagged \"" .$rule['tagged']. "\" ";
          	}
          

          A small change to the input validation in firewall_rules_edit.php would also be required to allow the value of the "tagged" field to start with an exclamation mark.

          I will likely spend a few moments to write the code and patch my current installation of pfSense to enable this feature. Would it be of use to you if I clone the GIT repository and send in a patch file (of pull request) with my changes?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.