Configuring Floating Rules & Aliases on pfSense Firewall


The pfSense project is a free open source customized distribution of FreeBSD tailored for use as a firewall and router entirely managed by an easy-to-use web interface. No FreeBSD knowledge is required to deploy and use pfSense software.

In this article, we'll configure Firewall Floating Rules, Aliases, and Firewall Rules (Firewall policies) as well as apply them to the LAN interface under pfSense Firewall configuration.

We've written an article that includes how to add a LAN interface that will be helpful to continue with this article.

1. Floating Rules

Floating Rules are a type of advanced rule that can perform complicated actions not possible with rules on interface or group tabs. They can act on multiple interfaces in the inbound, outbound, or both directions. The use of inbound and outbound filtering makes designing them more complex and prone to user error, therefore admins should opt for floating rules instead of regular rules.

Because protocol TCP port 1337 was flagged as a threat so, we'll close it to stop any backdoor attack.

Here, we are using the floating rule to disable the LAN and WAN interfaces from listening to port 1337 instead of configuring separate rules for each interface.

  • By default, this port is open you will allow connecting, run this command

$ telnet pfsense_IP 1337
  • Navigate to Firewall > Rules > Floating > Add

  • Action > Reject

  • Interface > ctrl key with LAN, WAN

  • Destination port > 1337

  • Log > Log Packets that are handled by this rule

  • Description

  • Save> Apply Changes

  • Try to connect to port 1337 remotely again connection 'll refused run this command

		$ telnet pfsense_IP 1337
  • To see logs navigate to Status > System logs > Firewall

  • Apply Filter with the Destination Port 1337

2. Firewall Aliases

Aliases define a group of ports, hosts, or networks. They can greatly simplify a ruleset and make it easier to understand and manage.

In this section, we'll allow only ports 80, 443, 22, 53 for TCP connection and block all other ports

  • Navigate to Firewall > Aliases > Ports > Add

  • Complete these fields' information

  • Name

  • Description

  • Type > ports

  • Ports > 80, 443, 22, 53 > Save

Add ports 53,123 for UDP connection

  • Complete these fields' information

  • Name

  • Description

  • Type > ports

  • Port > 53,123 > Save> Apply Changes

  • To apply these changes on the LAN interface, navigate to Firewall> Rules> Lan> Add

Note: pfSense Firewall performs the rules in order from top to bottom so make sure you put the rule in the correct order as you want to implement it. Also, You can drag and drop rules to modified places easily.

  • For TCP connection

  • Action > Pass

  • Protocol> TCP

  • Destination port range >"Alias name you defined " > Save

  • For UDP connection

  • Action > pass

  • Protocol>UDP

  • Destination port range >"Alias name you defined " >Save> Apply Changes

  • You must disable the rule [ Default allow LAN to any rule ] to avoid it overriding our newly configured rules.

  • Click on the corresponding check box

  • Action > Disable

  • Test any port from our alias allowed ports 80, 443, 22, 53 such as SSH Port 22 run this command

 $ ssh user@LAN_IP

Now, try to connect to any other ports except the allowed ports; your connection should be refused. to test LDAP port 389, run the command

$ telnet LAN_IP 389

3. Firewall Rules

Firewall rules control traffic passing through the firewall.

Because we configured aliases above, allowing TCP and UDP defined ports. by default, all other ports will be blocked, including ping requests. run this command

$ ping LAN_IP

Now in this section, we'll open ICMP protocol ping with 3 subtypes Echo-Request, Time Exceeded, Destination unreachable

  • Navigate to Firewall> Rules> Lan > Add>

  • Protocol: ICMP,

  • ICMP Subtypes: ctrl key with Echo Request, Time Exceeded, Destination unreachable> Save> Apply Changes

  • Test ping from the terminal run Command

	$ping LAN_IP

in News
Configuring Manual & Automated pfSense Backup and Restore