Monday, June 22, 2015

Using aliases pfSense to create rules for protocols with multiple port ranges

File this one under "things I wish I had known sooner".  When setting up pfSense firewall rules on an interface, you'll run into protocols which have multiple ports that are not in a contiguous range.  One example of this is the common web server (HTTP) ports of 80, 443 and 8080-8081.

This leaves you with two options.

  1. Setup multiple rules.  This is the best option because you only specify the exact ports that you want, with no extras thrown in.  The downside is that for some protocols, you will end up with multiple rules that have to be maintained.
  2. Specify a rule with a broad port range.  Which is sort of okay if you are only allowing a handful of extra ports, but it is not ideal.
Enter the concept of aliases (under the Firewall -> Aliases menu) in the pfSense web UI.  Here you can create an alias which lists out all of the ports associated with a particular protocol.

After creating the alias, you then create or edit a rule and use that alias in any fields with a red background.  Such as the destination port field.

After clicking the "Save" button, rules that are using port aliases will show up in the rule list looking like:

Needless to say, that can make your life much easier when maintaining large lists of ports as long as all of the ports in question are using the same protocols.

Mail client ports (IMAP/POP3/SMTP) are also good candidates for an alias rule.  One caution is to never allow 25/tcp to egress your network, only your mail server in the DMZ should be allowed to contact other mail servers via port 25.  Every internal client should be forced to either use tcp/465 (SMTP/SSL) or tcp/587 (SMTP Submission) or route their SMTP traffic through your mail server.

No comments: