Using EasyRule to Manage Firewall Rules

The EasyRule function found in the GUI and on the command line can add firewall rules quickly.

EasyRule in the GUI

In the pfSense® software GUI, this function is available in the Firewall Log view (Status > System Logs, Firewall tab).

The fa-minus-square-o icon next to the source IP address adds a block rule for that IP address on the interface. To be more precise, it creates or adds to an alias containing IP addresses added from Easy Rule and blocks them on the selected interface.

The fa-plus-square-o icon next to the destination IP address works similar to the block action, but it adds a more precise pass rule. This pass rule allows traffic on the interface but it must match the same protocol, source IP address, destination IP address, and destination port.

EasyRule in the Shell

The shell version of Easy Rule, easyrule, can manage EasyRule firewall rules and entries from a shell prompt. When the easyrule command is run without parameters, it prints a usage message to explain its syntax.

The way easyrule adds a block rule using an alias, or a precise pass rule specifying the protocol, source, and destination, work the same as the GUI version.

The general form of the command is:

# easyrule <action> <interface> <parameters>
action

The action can be one of pass, block, showblock, or unblock. Each one takes different parameters and is explained later in this section.

interface

The descriptive name of the interface, as seen in the GUI on the interface configuration page. For example: WAN, LAN, DMZ, OFFICEVPN. When using the descriptive names, it is not case sensitive.

The interface value can also be the internal designation for the interface, such as wan or opt2.

Special names for certain groups are also available here: openvpn for OpenVPN tab rules, ipsec for IPsec tab rules, pppoe for PPPoE server tab rules, and l2tp for L2TP server tab rules.

Pass

Passing requires several details so it does not create an overly permissive rule. The destination port is optional if the protocol does not require a port (e.g. ICMP, OSPF, etc).

# easyrule pass <interface> <protocol> <source address> <destination address> [destination port]
protocol

The name of the protocol to pass, or any to pass any protocol.

source address

The source of traffic for the pass rule.

Can be an IPv4/IPv6 address, subnet, alias name, or special network name such as any, pppoe or l2tp.

destination address

The destination of traffic for the pass rule.

Can be an IPv4/IPv6 address, subnet, alias name, or special network name such as any, pppoe or l2tp.

destination port

The destination port number if the protocol requires ports (TCP, UDP).

To pass traffic to any port, use any.

Note

The address family of the source and destination must match.

Example pass rule for a protocol that uses ports:

# easyrule pass wan tcp 1.2.3.4 192.168.0.4 80

Example pass rule for a protocol without ports:

# easyrule pass wan icmp 1.2.3.4 192.168.0.4

Block

Blocking only requires a source IP address to block:

# easyrule block <interface> <source address>
source address

The source of traffic to block.

Can be an IPv4/IPv6 address, subnet, alias name, or special network name such as any, pppoe or l2tp.

Block example:

# easyrule block wan 1.2.3.4

Show a Block

This program can also display the contents of addresses currently blocked by easyrule on an interface.

# easyrule showblock <interface>
# easyrule showblock wan
1.2.3.4/32
5.6.7.8/32
9.10.11.0/24

Remove a Block

# easyrule unblock <interface> <source address>
source address

The source of traffic to unblock. The address must already be blocked by EasyRule.

Note

This action will not remove block rules or entries that were not created by EasyRule.

Can be an IPv4/IPv6 address, subnet, alias name, or special network name such as any, pppoe or l2tp.

# easyrule showblock wan
1.2.3.4/32
5.6.7.8/32
9.10.11.0/24
# easyrule unblock wan 5.6.7.8
Host unblocked successfully
# easyrule showblock wan
1.2.3.4/32
9.10.11.0/24