Blocking specific ports outbound to internet but not across interfaces
I have a number of OPT interfaces and VLANs setup on my pfSense.
I want to block certain ports out to the internet for all interfaces, but want to allow these ports between internal interfaces.
What is the best way to achieve this?
I think I could a floating rule with specific ports/protocols set and the Advanced option set for the WAN Gateway and then apply it to the interfaces I want it applied to. Is there a better way?
If I need to allow exceptions would that be possible with the above setup by individual rules on the specific interface? Or would those need to be a higher priority floating rule that only applies to the exceptions (limited by source, destination, etc.)?
There may be certain ways to reach your goal.
Add an IP alias for you internal networks if they are not contiguous subnets, lets call it intranet. Add a port alias for the ports you want to block (i.g. blocktoWAN).
Then add a floating rule:
select your internal interfaces
at destination check "not", select "single host or alias" and enter intranet in the field below
at destination port range enter blocktoWAN in from and to field
You will also need a floating pass rule with lower priority to permit other traffic. Rules added to the interfaces tabs are preferred unless you check the Quick option in the floating rule.
So if you neet exception, you may add it to the interfaces tabs.
However, I think it's more clearly to add rules to each interface.
You can quickly achieve this by adding the rule to one interface, then copy it by clicking the "+" beside and change the interface.
I agree with viragomann, its best to place rules on each interface vs floating to be honest.
A simple block rule to ! rfc1918 alias would stop access to whatever port(s) you wanted to block with no effect on local traffic. If your really really lazy, you could put that as a floater.. Or in your floater just block the ports you want outbound on your wan interface.