Using IP or port lists in firewall rules



  • Hello,

    Usually I need to allow certain IPs to access certain ports (either on the pfsense router itself or NAT'ed). However, adding them one by one is very inconvenient meaning I have to create entries like this:

    1. Allow IP 1.2.3.4 access port 80
    2. Allow IP 1.2.3.4 access port 443
    1. Allow IP 4.5.6.7 access port 80
    2. Allow IP 4.5.6.7 access port 443
    1. Allow IP 8.9.10.11 access port 80

    With more ports and more IPs this becomes very confusing.

    The way I would do it on a Linux router would be to do this

    iptables -I INPUT -d tcp --dport 80 -j HTTPONLY
    iptables -I INPUT -d tcp --dport 80 -j HTTPS
    iptables -I INPUT -d tcp --dport 443 -j HTTPS
    
    iptables -I HTTPONLY -s 8.9.10.11 -j ACCEPT
    
    iptables -I HTTPS -s 1.2.3.4 -j ACCEPT
    iptables -I HTTPS -s 4.5.6.7 -j ACCEPT
    

    Now every IP is listed only once and I can add/remove IPs easily.

    Is there a way to do something similar with pfSense?



  • Use Aliases for your hosts via Firewall - Aliases.  Create an alias for your rule to use and then add the hosts that you want to the list for that alias.  Then when making the firewall rule, use the alias instead of the individual host.  The rule will be applied to all hosts listed under the Alias.



  • Thank you. I even googled for this, but it did not occur to me to look at "Aliases".



  • You can also create aliases for TCP/UDP ports, so you could conceivably create only one firewall rule to handle a large number of hosts and ports.