-
Notifications
You must be signed in to change notification settings - Fork 50
pfsense_rule
Orion Poplawski edited this page Jan 1, 2024
·
11 revisions
Manage pfSense firewall rules
ADDED IN: version 0.1.0 of pfsensible.core
OPTIONS (= is mandatory):
- ackqueue
QOS acknowledge queue
default: null
type: str
- action
The action of the rule
choices: [pass, block, match, reject]
default: pass
type: str
- after
Rule to go after, or `top'
default: null
type: str
- before
Rule to go before, or `bottom'
default: null
type: str
- destination
The destination address, in
[!]{IP,HOST,ALIAS,any,(self),IP:INTERFACE,NET:INTERFACE}
format.
default: null
type: str
- destination_port
Destination port or port range specification.
This can either be a alias or a port number.
An inclusive range can also be specified, using the format
`first-last'..
default: null
type: str
- direction
Direction floating rule applies to
choices: [any, in, out]
default: null
type: str
- disabled
Is the rule disabled
default: false
type: bool
- floating
Is the rule floating
default: null
type: bool
- gateway
Leave as `default' to use the system routing table or choose a
gateway to utilize policy based routing.
default: default
type: str
- icmptype
One or more of these ICMP subtypes may be specified, separated
by comma, or `any' for all of them.
The types must match ip protocol.
althost, dataconv, echorep, echoreq, fqdnrep, fqdnreq,
groupqry, grouprep, groupterm, inforep, inforeq, ipv6-here,
ipv6-where, listendone, listenrep, listqry, maskrep, maskreq,
mobredir, mobregrep, mobregreq, mtrace, mtraceresp,
neighbradv, neighbrsol, niqry, nirep, paramprob, photuris,
redir, routeradv, routersol, routrrenum, skip, squench,
timerep, timereq, timex, toobig, trace, unreach, wrurep,
wrureq
default: any
type: str
- in_queue
Limiter queue for traffic coming into the chosen interface
default: null
type: str
= interface
The interface for the rule
type: str
- ipprotocol
The IP protocol
choices: [inet, inet46, inet6]
default: inet
type: str
- log
Log packets matched by rule
default: null
type: bool
= name
The name the rule
default: null
type: str
- out_queue
Limiter queue for traffic leaving the chosen interface
default: null
type: str
- protocol
The protocol
choices: [any, tcp, udp, tcp/udp, icmp, igmp, ospf, esp, ah, gre, pim, sctp, pfsync, carp]
default: any
type: str
- queue
QOS default queue
default: null
type: str
- queue_error
Raise an error if a specified queue is missing
default: true
type: bool
- quick
Set this option to apply this action to traffic that matches
this rule immediately
default: false
type: bool
- sched
Schedule day/time when the rule must be active
default: null
type: str
- source
The source address, in
[!]{IP,HOST,ALIAS,any,(self),IP:INTERFACE,NET:INTERFACE}
format.
default: null
type: str
- source_port
Source port or port range specification.
This can either be a alias or a port number.
An inclusive range can also be specified, using the format
`first-last'..
default: null
type: str
- state
State in which to leave the rule
choices: [present, absent]
default: present
type: str
- statetype
State type
choices: [keep state, sloppy state, synproxy state, none]
default: keep state
type: str
- tcpflags_any
Allow TCP packets with any flags set.
default: null
type: bool
- tracker
Rule tracking ID. Defaults to timestamp of rule creation and
not modified if not set or set to 0.
default: null
type: str
AUTHOR: Orion Poplawski (@opoplawski), Frederic Bor (@f-bor)
METADATA:
metadata_version: '1.1'
status:
- preview
supported_by: community
EXAMPLES:
- name: "Add Internal DNS out rule"
pfsense_rule:
name: 'Allow Internal DNS traffic out'
action: pass
interface: lan
ipprotocol: inet
protocol: udp
source: dns_int
destination: any
destination_port: 53
after: 'Allow proxies out'
state: present
- name: "Allow inbound port range"
pfsense_rule:
name: 'Allow inbound port range'
action: pass
interface: wan
ipprotocol: inet
protocol: tcp
source: any
destination: NET:lan
destination_port: 4000-5000
after: 'Allow Internal DNS traffic out'
state: present