Using EasyRule to Manage Firewall Rules¶
The EasyRule function found in the GUI and on the command line can add firewall rules quickly.
EasyRule in the GUI¶
In the pfSense® software GUI, this function is available in the Firewall Log view (Status > System Logs, Firewall tab).
The icon next to the source IP address adds a block rule for that IP address on the interface. To be more precise, it creates or adds to an alias containing IP addresses added from Easy Rule and blocks them on the selected interface.
The icon next to the destination IP address works similar to the block action, but it adds a more precise pass rule. This pass rule allows traffic on the interface but it must match the same protocol, source IP address, destination IP address, and destination port.
EasyRule in the Shell¶
The shell version of Easy Rule, easyrule
, can manage EasyRule firewall rules
and entries from a shell prompt. When the easyrule
command is run without
parameters, it prints a usage message to explain its syntax.
The way easyrule
adds a block rule using an alias, or a precise pass rule
specifying the protocol, source, and destination, work the same as the GUI
version.
The general form of the command is:
# easyrule <action> <interface> <parameters>
- action:
The action can be one of
pass
,block
,showblock
, orunblock
. Each one takes different parameters and is explained later in this section.- interface:
The descriptive name of the interface, as seen in the GUI on the interface configuration page. For example:
WAN
,LAN
,DMZ
,OFFICEVPN
. When using the descriptive names, it is not case sensitive.The interface value can also be the internal designation for the interface, such as
wan
oropt2
.Special names for certain groups are also available here:
openvpn
for OpenVPN tab rules,ipsec
for IPsec tab rules,pppoe
for PPPoE server tab rules, andl2tp
for L2TP server tab rules.
Pass¶
Passing requires several details so it does not create an overly permissive rule. The destination port is optional if the protocol does not require a port (e.g. ICMP, OSPF, etc).
# easyrule pass <interface> <protocol> <source address> <destination address> [destination port]
- protocol:
The name of the protocol to pass, or
any
to pass any protocol.- source address:
The source of traffic for the pass rule.
Can be an IPv4/IPv6 address, subnet, alias name, or special network name such as
any
,pppoe
orl2tp
.- destination address:
The destination of traffic for the pass rule.
Can be an IPv4/IPv6 address, subnet, alias name, or special network name such as
any
,pppoe
orl2tp
.- destination port:
The destination port number if the protocol requires ports (
TCP
,UDP
).To pass traffic to any port, use
any
.
Note
The address family of the source and destination must match.
Example pass rule for a protocol that uses ports:
# easyrule pass wan tcp 1.2.3.4 192.168.0.4 80
Example pass rule for a protocol without ports:
# easyrule pass wan icmp 1.2.3.4 192.168.0.4
Block¶
Blocking only requires a source IP address to block:
# easyrule block <interface> <source address>
- source address:
The source of traffic to block.
Can be an IPv4/IPv6 address, subnet, alias name, or special network name such as
any
,pppoe
orl2tp
.
Block example:
# easyrule block wan 1.2.3.4
Show a Block¶
This program can also display the contents of addresses currently blocked by easyrule on an interface.
# easyrule showblock <interface>
# easyrule showblock wan
1.2.3.4/32
5.6.7.8/32
9.10.11.0/24
Remove a Block¶
# easyrule unblock <interface> <source address>
- source address:
The source of traffic to unblock. The address must already be blocked by EasyRule.
Note
This action will not remove block rules or entries that were not created by EasyRule.
Can be an IPv4/IPv6 address, subnet, alias name, or special network name such as
any
,pppoe
orl2tp
.
# easyrule showblock wan
1.2.3.4/32
5.6.7.8/32
9.10.11.0/24
# easyrule unblock wan 5.6.7.8
Host unblocked successfully
# easyrule showblock wan
1.2.3.4/32
9.10.11.0/24