Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Using EasyRule to Add Firewall Rules

The EasyRule function found in the GUI and on the command line can add firewall rules quickly.

EasyRule in the GUI

In the pfSense® software GUI, this function is available in the Firewall Log view (Status > System Logs, Firewall tab).

The fa-minus-square-o icon next to the source IP address adds a block rule for that IP address on the interface. To be more precise, it creates or adds to an alias containing IP addresses added from Easy Rule and blocks them on the selected interface.

The fa-plus-square-o icon next to the destination IP address works similar to the block action, but it adds a more precise pass rule. This pass rule allows traffic on the interface but it must match the same protocol, source IP address, destination IP address, and destination port.

EasyRule in the Shell

The shell version of Easy Rule, easyrule, can add a firewall rule from a shell prompt. When the easyrule command is run without parameters, it prints a usage message to explain its syntax.

The way easyrule adds a block rule using an alias, or a precise pass rule specifying the protocol, source, and destination, work similar to the GUI version.

: easyrule
usage:
Blocking only requires an IP to block
    easyrule block <interface> <source IP>

Passing requires more detail, as it must be as specific as possible. The destination port is
optional if the protocol does not require a port (e.g. ICMP, OSPF, etc).
    easyrule pass <interface> <protocol> <source IP> <destination ip> [destination port]

Block example:
    easyrule block wan 1.2.3.4

Pass example (protocol with port):
    easyrule pass wan tcp 1.2.3.4 192.168.0.4 80

Pass example (protocol without port):
    easyrule pass wan icmp 1.2.3.4 192.168.0.4

The source code of those scripts can be adapted for adding firewall rules in other ways, but that is left as an exercise for the reader.