CONTRIBUTION: static port range and outbound rules source port range

  • When you go to NAT Outbound, you can create rules to make 1 port static, or to force the source port (for example, force that traffic with source port 5111 from host will be NATed to WAN_IP:51110).
    This is nice, of course, but not quite helpful when it comes to SIP, since you have a range of RTP port to make static.

    Based on the built "built on Sun Jan 23 06:46:02 EST 2011", I've patched the GUI so that it can now handle ranges of static ports with a single rule, as pf supports it. This is a very simple patch requiring to change only 3 files (Outbound NAT rules edition, Outbound NAT rules listing, and pf rules file generation).

    I'm willing to contribute those small changes, and have been told to way it in forum, thus, if a developer of pfSense is interested, I'd be glad if pfSense would contain a few lines of code from me ;)

    (btw, the few lines are ONLY copy-paste-edit)

  • Put your patches here or in where cannot be forgotten and whoever has time will grab it for sure if it qualifies.

  • Thanks for your answer.
    For the record:

  • Note lp said:

    "I've patched the GUI so that it can now handle ranges of static ports with a single rule"

    I would propose if possible to allow for something like this


    e.g. 100,101,102,700,800,801,802,803,804

    this would be a comma seperated list of ranges or single ports, if pFsense supported this it would provide a better flexibility and more concise rules.  Of course I don't know if that is what lp proposed in the first place - I assume ho only provided a range.

  • You're right, I've offered only port range. The reason for that is there's direct support for it in pf, the firewall behind pfSense, and thus it required minimal changes.
    If pf supports such a syntax (like "20,30-40,50,60-70"), I may patch it rather easily (which doesn't mean it'll get integrated in pfSense ;)).
    If pf doesn't support it, it is still possible (I'm having code under my eyes), just requires a little deeper patching (ie generating several rules from a single call to function "filter_nat_rules_generate_if").

    If you're interested in my little patch, you can find it here:

  • I'd like to see Port Aliases get the same treatment, and the option for non-contiguous ports and ranges would certainly be the most flexible, and could collapse things like SSL and non-SSL web traffic into a single rule (80,443) and other things where a logical grouping would be nice to have. I think I tried to use nested port aliases to do this already and got an error :-(

  • Mistake in the patch files.
    In firewall_nat_out_edit.php, you should add after lin 223:
    $natent['sourceportend'] = ($protocol_uses_ports) ? $_POST['sourceportend'] : "";

  • This patch is now useless since port alias support was implemented. Thanks :)
    This also means that what some people asked for in this thread is now possible.

Log in to reply