Using IP or port lists in firewall rules
-
Hello,
Usually I need to allow certain IPs to access certain ports (either on the pfsense router itself or NAT'ed). However, adding them one by one is very inconvenient meaning I have to create entries like this:
1. Allow IP 1.2.3.4 access port 80
2. Allow IP 1.2.3.4 access port 443
1. Allow IP 4.5.6.7 access port 80
2. Allow IP 4.5.6.7 access port 443
1. Allow IP 8.9.10.11 access port 80With more ports and more IPs this becomes very confusing.
The way I would do it on a Linux router would be to do this
iptables -I INPUT -d tcp --dport 80 -j HTTPONLY iptables -I INPUT -d tcp --dport 80 -j HTTPS iptables -I INPUT -d tcp --dport 443 -j HTTPS iptables -I HTTPONLY -s 8.9.10.11 -j ACCEPT iptables -I HTTPS -s 1.2.3.4 -j ACCEPT iptables -I HTTPS -s 4.5.6.7 -j ACCEPTNow every IP is listed only once and I can add/remove IPs easily.
Is there a way to do something similar with pfSense?
-
Use Aliases for your hosts via Firewall - Aliases. Create an alias for your rule to use and then add the hosts that you want to the list for that alias. Then when making the firewall rule, use the alias instead of the individual host. The rule will be applied to all hosts listed under the Alias.
-
Thank you. I even googled for this, but it did not occur to me to look at "Aliases".
-
You can also create aliases for TCP/UDP ports, so you could conceivably create only one firewall rule to handle a large number of hosts and ports.
