Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Feature Request: Add "not" to Destination Port Range"

    Firewalling
    5
    14
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rjoffe
      last edited by

      I think the subject says it all :)

      i.e. block all but port 1234 or if using a port alias, block all but ports listed in ALIAS

      (if this is the wrong forum, please let me know the correct place)

      Ron

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I'm not sure I understand.  Everything is blocked by default.  You must manually allow things through the firewall with rules.  So if you want to block all but 1234, then just add a rule that allows 1234 and put it at the top of your rules list.

        1 Reply Last reply Reply Quote 0
        • R
          rjoffe
          last edited by

          KOM,

          Thanks for the reply. What I'm trying to achieve is something like this:

          Let's look at ssh. I wan to end up with something like this:

          Rules:

          1. Filter all ports except 22 (ssh).
          2. Filter all traffic from known list (for example pfBlocker) and log.
          3. Allow port 22 in from known white list.

          The key here is the logging part of step 2. If I skip step 1 and just have steps 2&3,  I'll end up with junk in my filter logs which I have no interest in (for example ntp scans). Step 1 eliminates the "noise".

          I can achieve this with current config, by blocking 1-21 and 23-65535 as a step 1. However this gets more complicated when I also want to allow a few other ports through. That's the request for the "not" on the destination port range.

          Does this make sense, or is there a better way to achieve the same functionality

          Thanks,

          Ron

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            The firewall rules include a hidden rules called Default Deny rule which has logging enabled.  Any unhandled traffic will be blocked and logged by this rule.  If you want to eliminate log noise from this rule, I would create a manual block rule, set it to not log and place it at the bottom of your rules.  That way it should be processed before the default rule and not log the blocked traffic.

            1 Reply Last reply Reply Quote 0
            • R
              rjoffe
              last edited by

              KOM,

              Again, thanks for the reply. Let me see if I can make the request a bit cleaner.

              If I have rule set A:

              1. Allow port 22 (ssh) from known hosts (no logging)
              2. Deny Default (logging)

              I would end up with a list of anyone not in my known hosts list with any type of connection logged.

              If I then go to rule set B:

              1. Deny port 1-21 (no logging)
              2. Deny port 23-65535 (no logging)
              3. Allow ssh from known hosts (no logging)
              4. Deny Default (logging)

              I would end up with a list of only those not in my known hosts list which try to connect on port 22 (ssh)

              My enhancement request is for rule set C:

              1. Deny NOT port 22 (no logging)
              2. Allow ssh from known hosts (no logging)
              3. Deny Default (logging)

              This also would end up with a list of only those not in my known hosts list which try to connect on port 22 (ssh), but is cleaner.

              Rule set C is a very simple example. real world is very much more complicated.

              Thanks,

              Ron

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                OK, now I see what you want and why.  Sorry it took so many explanations.  I've been having issues with my density lately.

                1 Reply Last reply Reply Quote 0
                • R
                  rjoffe
                  last edited by

                  KOM,

                  If you are having density issues, then you are having minor ones.

                  Thanks for the feedback.

                  Ron

                  1 Reply Last reply Reply Quote 0
                  • T
                    Trel
                    last edited by

                    @rjoffe:

                    My enhancement request is for rule set C:

                    1. Deny NOT port 22 (no logging)
                    2. Allow ssh from known hosts (no logging)
                    3. Deny Default (logging)

                    I think you can achieve this now like so

                    1. Deny port 22 from NOT known hosts (logging)
                    2. Allow port 22 (no logging)
                    3. Deny all (no logging)
                    4. Default Deny All (logging) <–- should never happen due to #3

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      You know this seems like it should be easy.  I'm going to look at it.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • dennypageD
                        dennypage
                        last edited by

                        I have another situation in which I would find this useful. I am looking at restricting outbound connections from a local segment to a specific set of ports (outbound connections are currently unrestricted). However before I put a restriction in place, I'd like to use a logging rule for some period of time to ensure that I won't be breaking anything.

                        1 Reply Last reply Reply Quote 0
                        • T
                          Trel
                          last edited by

                          @dennypage:

                          I have another situation in which I would find this useful. I am looking at restricting outbound connections from a local segment to a specific set of ports (outbound connections are currently unrestricted). However before I put a restriction in place, I'd like to use a logging rule for some period of time to ensure that I won't be breaking anything.

                          Have you tried this option yet?

                          https://forum.pfsense.org/index.php?topic=82055.msg449806#msg449806

                          1 Reply Last reply Reply Quote 0
                          • dennypageD
                            dennypage
                            last edited by

                            This is my use case:

                            1. Allow portlist from * (no logging)
                            2. Allow * from * (logging)

                            But sense inversion the port list would be more convenient. It wouldn't require futzing with the default rules, and is easy to convert between logging and rejecting/blocking.

                            1 Reply Last reply Reply Quote 0
                            • T
                              Trel
                              last edited by

                              @dennypage:

                              This is my use case:

                              1. Allow portlist from * (no logging)
                              2. Allow * from * (logging)

                              But sense inversion the port list would be more convenient. It wouldn't require futzing with the default rules, and is easy to convert between logging and rejecting/blocking.

                              What would the inversion case be? Because the rule 1 and 2 work now as you wrote them if you use an alias for the ports.

                              1 Reply Last reply Reply Quote 0
                              • dennypageD
                                dennypage
                                last edited by

                                1. Allow !portlist from * (logging)

                                Which after testing would change to

                                1. Reject !portlist from * (logging)

                                I agree that this use case can be achieved currently by using multiple rules based on inclustion, however it's more convenient to use a single rule based on exclusion.

                                @Trel:

                                What would the inversion case be? Because the rule 1 and 2 work now as you wrote them if you use an alias for the ports.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.