"This Firewall (source)" Alias

pfsjap

Is there a reason that there is no "This Firewall (source)" -Alias in the drop-down list in firewall-rules? Maybe there could be a better way to name it, but anyway...

I have configured AllLanGroups Interface Group containing all LANs. AllLanGroups rules have all the common rules for the LANs.

For example, all subnets are allowed to ping router using this rule:

I recently realized, that this rule is more permissive, than I intended. What I want is achieved by this:

but it looks ugly and moving these to interface rules is not any better. Having an alias "This Firewall (source)" referring to the interface address of the source network would be nice.

SteveITS

@pfsjap This Firewall is all IPs on pfSense.

There’s no interface where your rules will work all together like that. Packets match as they arrive at an interface.

What are you trying to accomplish, block traffic from pfSense itself?

pfsjap

@SteveITS said in "This Firewall (source)" Alias:

There’s no interface where your rules will work all together like that. Packets match as they arrive at an interface.

Well, that's the very reason I wish there would be such an alias There's no need for such an alias for rules of a specific, single interface, but in case of Interface Group rules it would be handy.

Are you saying, that when a packet arrives at an interface, it is impossible to determine what the interface's ip address is?

@SteveITS said in "This Firewall (source)" Alias:

What are you trying to accomplish, block traffic from pfSense itself?

There are no blocks in the rules I showed above. What I would like to accomplish is described in the rules contained in the second picture above, but with a single rule like in the first picture.

SteveITS

@pfsjap I just meant traffic from pfSense AFAIK is always allowed.

Are you looking for the network/subnet like https://forum.netgate.com/topic/200606/this-firewall-networks-alias ?

pfsjap

@SteveITS said in "This Firewall (source)" Alias:

Are you looking for the network/subnet like https://forum.netgate.com/topic/200606/this-firewall-networks-alias ?

No, this alias I'm talking about is not like the one in that topic. I can't describe how it would work more clearly, maybe my English is just so bad..

SteveITS

@pfsjap said in "This Firewall (source)" Alias:

Having an alias "This Firewall (source)" referring to the interface address of the source network

Your English is fine actually. :) I reread your question and I think you're asking for an alias for "whatever the IP is of this interface" but I suspect there is no way for pf to know that when it is loading unless it's told. "self" is an actual pf alias/macro. Functionally there is probably little difference between allowing access to "LAN address" or "This Firewall" (any IP on pfSense)...is there anything that would be listening on one IP and not another? Perhaps something like a VPN, but access can also be blocked by firewall rule.

Bob.Dig

I got it on first read. But I don't think that interface-groups work like that. Most things you have to manage separate.