Feature #2235
closed
Rules with destination interface
0%
Description
It would be nice if we can make rules between interfaces and/or interface groups directly.
Currently, if an internal network should access internet without accessing another internal network, we have to make two rule :
. deny <LAN1> -> <LAN2>
. permit <LAN1> -> <ANY>
Whereas if each interface is put in a dedicated interface group :
. permit <int-group_lan1> -> <int-group_internet>
This can simplify a lot the rules and avoid some potential unwanted traffic.
Currently no other distro seems to support this (no support for interface group either), I think it can be a major feature for PfSense.
Updated by Chris Buechler about 12 years ago
- Status changed from New to Closed
you can easily do that with floating rules.
Updated by David RAMEY about 12 years ago
This does not work as expected unfortunately.
I put a rule on external interface (permit lan -> any), but traffic is blocked by default deny on internal interface.
This does not simplify rules as expected.
Updated by Jim Pingle about 12 years ago
The way pf works you can't put rules on the WANs in the outbound direction that match local IPs as the source. This is because on WAN the NAT has happened by the time the rules are reached. There isn't really a way around that, so the type of syntax you're proposing wouldn't be possible except in a pure-routing scenario that had no NAT involved, and that can be covered in floating rules.
Updated by Erik Fonnesbeck about 12 years ago
Tags can be used for firewall rules to match only traffic handled by a certain NAT rule, right? Any reason this hasn't made it into any of the NAT rule pages so far?