Using EasyRule to Add Firewall Rules¶
The EasyRule function found in the GUI and on the command line can add firewall rules quickly.
EasyRule in the GUI¶
In the pfSense® software GUI, this function is available in the Firewall Log view (Status > System Logs, Firewall tab).
The icon next to the source IP address adds a block rule for that IP address on the interface. To be more precise, it creates or adds to an alias containing IP addresses added from Easy Rule and blocks them on the selected interface.
The icon next to the destination IP address works similar to the block action, but it adds a more precise pass rule. This pass rule allows traffic on the interface but it must match the same protocol, source IP address, destination IP address, and destination port.
EasyRule in the Shell¶
The shell version of Easy Rule,
easyrule, can add a firewall rule from a
shell prompt. When the
easyrule command is run without parameters, it prints
a usage message to explain its syntax.
easyrule adds a block rule using an alias, or a precise pass rule
specifying the protocol, source, and destination, work similar to the GUI
: easyrule usage: Blocking only requires an IP to block easyrule block <interface> <source IP> Passing requires more detail, as it must be as specific as possible. The destination port is optional if the protocol does not require a port (e.g. ICMP, OSPF, etc). easyrule pass <interface> <protocol> <source IP> <destination ip> [destination port] Block example: easyrule block wan 18.104.22.168 Pass example (protocol with port): easyrule pass wan tcp 22.214.171.124 192.168.0.4 80 Pass example (protocol without port): easyrule pass wan icmp 126.96.36.199 192.168.0.4
The source code of those scripts can be adapted for adding firewall rules in other ways, but that is left as an exercise for the reader.