Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Firewall rules - possible bug

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kdr
      last edited by

      pfSense 2.1-RELEASE

      When creating a firewall rule with a specific Destination Port Range "to" port only (nothing changed in the "from" port) the rule is created but automatically assumes a destination port of "any" (*).

      My Case:

      I wanted to allow only SSH to a particular destination port and added the port only to the Destination Port Range "to" box. Clicking Save automatically created a rule allowing ALL TCP connections to my WAN address.

      This seems dangerous and a prompt should occur to let the user know they didn't read the instructions (like me!) and that their Destination Port Range was not specified properly (i.e. the Destination Port Range "from" port should also be entered).

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        Please, post a screenshot of what did you input where and what was created where. Cannot make sense of the long-winded description.

        1 Reply Last reply Reply Quote 0
        • K Offline
          kdr
          last edited by

          Sorry for the confusion:

          Firewall–>Rules-->add new rule

          I then made the changes highlighted in yellow in the first screenshot and clicked 'Save'.

          The rule results are in the second screenshot.

          Update: I realize the Source in the screenshots is set to "WAN Address". I meant to set the Destination to "WAN Address". In either case the pass rule is created port agnostic.

          ![Screen Shot 2014-02-25 at 15.37.59 PM.png](/public/imported_attachments/1/Screen Shot 2014-02-25 at 15.37.59 PM.png)
          ![Screen Shot 2014-02-25 at 15.37.59 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-25 at 15.37.59 PM.png_thumb)
          ![Screen Shot 2014-02-25 at 15.41.04 PM.png](/public/imported_attachments/1/Screen Shot 2014-02-25 at 15.41.04 PM.png)
          ![Screen Shot 2014-02-25 at 15.41.04 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-25 at 15.41.04 PM.png_thumb)

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            Ah, a lot more clear now. I frankly never liked the GUI design regarding this. What's wrong with using something like xxx-yyy or xxx:yyy, or even xxx,yyy,zzz for a list (not range), plus nuking the From/To altogether? Does not really make much sense with the dropdowns as well. Who specifies a range from, say SSH to HTTP?  ::)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.