Easyrule and This Firewall (self)

WvdW

When creating a new easyrule via the console what is the correct keyword to use for This Firewall (self)?
If you create a new rule via the webGUI there is an option available in destination for This Firewall (self) to select but I am unable to find the equivalent destination keyword for the command line.

I have tried easyrule pass wan tcp any self 443 but it gives an invalid destination error.

I also tried easyrule pass wan tcp any 127.0.0.1 443 but then it shows the IP as the destination instead of the self keyword.

I checked in the docs for easyrule and can't find anything detailing the different destination options nor any examples showing different options.

Werner

NogBadTheBad

@wvdw said in Easyrule and This Firewall (self):

d easyrule pass wan tcp any self 443

Why are you trying to allow https to the firewall wan interface ?

https://docs.netgate.com/pfsense/en/latest/firewall/configure.html

127.0.0.1 is the loopback interface.

johnpoz

@nogbadthebad said in Easyrule and This Firewall (self):

Why are you trying to allow https to the firewall wan interface ?

I could understand if only had ssh access and wanted to access the gui, and there was no way to access anything from the inside or anyone there, etc..

What is odd, is why would you want to use "this firewall" alias in such a rule. Why would you not just use the wan address, or the specific IP of the wan address..

NogBadTheBad

@johnpoz said in Easyrule and This Firewall (self):

@nogbadthebad said in Easyrule and This Firewall (self):

Why are you trying to allow https to the firewall wan interface ?

I could understand if only had ssh access and wanted to access the gui, and there was no way to access anything from the inside or anyone there, etc..

What is odd, is why would you want to use "this firewall" alias in such a rule. Why would you not just use the wan address, or the specific IP of the wan address..

To be honest when I was setting up a couple of test VMs I just disabled pf via pfctl -d so I could hop on the box via the web gui from the WAN interface and add another management interface.

WvdW

So I used a really bad example because now it's detracting from the primary question.

Let me rephrase it as easyrule pass wan tcp any self 30100. In other words I do not want to specifically do anything with https, I just used the port number as a bad example. I am trying to figure out what the keyword is for (self) in the easyrule command syntax.

The reason why I want to use self instead of a specific WAN IP is because self automatically covers that port for all attached WAN IPs and NICs instead of just a single one. If using a single then I have to create multiple rules instead of one.

Werner

NogBadTheBad

@wvdw Do yourself a favour and use the GUI rather than easy rules.

You can also set up interface groups if you have multiple WAN interfaces, creat a rule in the interface group and it applies the rule to each interface group member.

Nevermind:-

Use with WAN Interfaces

The best practice is to not use interface groups with multiple WANs. Doing so may appear to be convenient, but the group rules do not receive the same treatment as actual WAN tab rules. For example, rules on a tab for a WAN-type interface will receive reply-to which allows pf to return traffic back via the interface from which it entered. Group tab rules do not receive reply-to which effectively means that the group rules only function as expected on the WAN with the default gateway.

bingo600

I have been using TFW to deny 443 access to the firewall, from all except a mgmt-lan.
Wish i hadn't .....

Works excellent until you have to make a server public on the internet serving 443, with an ALIAS interface IP.
Then you discover that the ALIAS IP is a member of TFW

So use TFW with care ...

Not a biggie , as you can just allow 443 for that specific IP , before the TFW rule. But knowing what i know now , i would prob. not have used TFW.

/Bingo

WvdW

Thanks for the feedback/advice everyone , I appreciate it.

99% of the time the webGUI will be used for managing firewall rules but I am busy testing edge cases where the quickest/only way for me to add a new rule is to use SSH and easyrule. In most cases the rule will be temporary but I still need to know what the correct syntax is to create it in the first place.
The documentation on easyrule is very light and hence the posting of the question here in the hope that someone has used self as destination in a command line created rule successfully?

The mere fact that it is a selectable option in the GUI says to me that there must be a keyword for it when using the command line...

johnpoz

@wvdw I do not believe its possible via looking at the code of the easy rule to leverage the "this firewall" alias how your wanting to do it.

I might of missed something, I am by no means any sort of coder - I can hack my my way around a script and normally follow what its doing, etc.

But yeah looking at the documentation for the easyrule script, I see no mentioned of being able to do what your asking.

https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html#easyrule-in-the-shell

"The source code of those scripts can be adapted for adding firewall rules in other ways, but that is left as an exercise for the reader."

https://github.com/pfsense/pfsense/blob/master/src/etc/inc/easyrule.inc