Firewall rules - possible bug



  • pfSense 2.1-RELEASE

    When creating a firewall rule with a specific Destination Port Range "to" port only (nothing changed in the "from" port) the rule is created but automatically assumes a destination port of "any" (*).

    My Case:

    I wanted to allow only SSH to a particular destination port and added the port only to the Destination Port Range "to" box. Clicking Save automatically created a rule allowing ALL TCP connections to my WAN address.

    This seems dangerous and a prompt should occur to let the user know they didn't read the instructions (like me!) and that their Destination Port Range was not specified properly (i.e. the Destination Port Range "from" port should also be entered).


  • Banned

    Please, post a screenshot of what did you input where and what was created where. Cannot make sense of the long-winded description.



  • Sorry for the confusion:

    Firewall–>Rules-->add new rule

    I then made the changes highlighted in yellow in the first screenshot and clicked 'Save'.

    The rule results are in the second screenshot.

    Update: I realize the Source in the screenshots is set to "WAN Address". I meant to set the Destination to "WAN Address". In either case the pass rule is created port agnostic.

    ![Screen Shot 2014-02-25 at 15.37.59 PM.png](/public/imported_attachments/1/Screen Shot 2014-02-25 at 15.37.59 PM.png)
    ![Screen Shot 2014-02-25 at 15.37.59 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-25 at 15.37.59 PM.png_thumb)
    ![Screen Shot 2014-02-25 at 15.41.04 PM.png](/public/imported_attachments/1/Screen Shot 2014-02-25 at 15.41.04 PM.png)
    ![Screen Shot 2014-02-25 at 15.41.04 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-02-25 at 15.41.04 PM.png_thumb)


  • Banned

    Ah, a lot more clear now. I frankly never liked the GUI design regarding this. What's wrong with using something like xxx-yyy or xxx:yyy, or even xxx,yyy,zzz for a list (not range), plus nuking the From/To altogether? Does not really make much sense with the dropdowns as well. Who specifies a range from, say SSH to HTTP?  ::)